• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1464
  • Last Modified:

Media center 2005 - ehshell.exe crash

I’ve a problem with Media center. When I start the program a configure media center wizard appears. A few step further in I click on the “test” internet connection. A progress bar circle shape appears, a few seconds later ehome crashes.
I’ve trided to bypass this step but ehome crashes in the same way when it is downloading the TV-guide

Furter investigation from log files and event viewer.
--------------------------------
[Crash Information]
ReportVersion=1
MainBinary=C:\WINDOWS\ehome\ehshell.exe
MainBinaryVersion=5.1.2715.2883 (xpsp(wmbla).060409-2023)
CrashTime=2006-05-20 13:19:08 UTC
CurrentPage=InetConnCfgdPage
Exception=System.InvalidCastException
ExceptionMessage=Den angivna omvandlingen är inte giltig.
(ExceptionMessage translated. The informed transformation not valid)

[Stack Trace]

IP=0x05170dbc                  ehiProxy.IEhepgdatEvents_EventProvider..ctor(System.Object A_1)

[Backstack]
MediaCenter.FirstRun.QAlwaysOnInternetPage
MediaCenter.FirstRun.MetadataPage
MediaCenter.FirstRun.CustomerExperiencePage
MediaCenter.FirstRun.PrivacyStatementPage
MediaCenter.FirstRun.GettingStartedPage
MediaCenter.FirstRun.WelcomePage
---------------------
Händelsetyp: Fel
Händelsens källa:                Media Center Guide
Händelsekategori:               Ingen
Händelse-ID:                      0
Datum:                                2006-05-20
Tid:                                     15:30:00
Användare:                         Saknas
Dator:            DATOR01
Beskrivning:
Händelseinformation: InvalidCastException trying to create ehepgdat helper.
Process: DefaultDomain
Objektnamn: Microsoft.Ehome.Epg.Helper.EhepgdatHelper
----------------------

I’ve installed all from Windows update. My first suspicions was that framework v2 caused the error, therefore I uninstalled this. And tried again.

My next step was to uninstall all framework v1 (framwork 1 + framework 1 sp1 + framwork 1 sp1 hotfix). Then I visited Windows update and installed one by one and restarted Windows. For each install i’ve tried again.

Regards Michael K
0
Klintan
Asked:
Klintan
  • 4
  • 4
  • 4
1 Solution
 
Mohammed HamadaSenior IT ConsultantCommented:
This might be a virus or trojan ? check the following information..

W32/Mytob-CQ is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-CQ copies itself to the Windows system folder as ehshell.exe and bingoo.exe and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
WIN
ehshell.exe

HKCU\Software\Microsoft\Ole
WIN
ehshell.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WIN
ehshell.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WIN
ehshell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WIN
ehshell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WIN
ehshell.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WIN
ehshell.exe

W32/Mytob-CQ copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location. This component attempts to spread the worm by sending files through Windows Messenger to all online contacts.

W32/Mytob-CQ also appends the following to the HOSTS file to deny access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com 

W32/Mytob-CQ is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CQ has the following characteristics:

Subject line chosen from:

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text chosen from:

'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'

The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

W32/Mytob-CQ harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager.

W32/Mytob-CQ also drops a file 2pac.txt in the Windows System folder. This file may be deleted.

The following patch for the operating system vulnerability exploited by W32/Mytob-CQ can be obtained from the Microsoft website:

LSASS (MS04-011) security vulnerability

Ref:
http://www.sophos.com/virusinfo/analyses/w32mytobcq.html
0
 
Mohammed HamadaSenior IT ConsultantCommented:
If not then download this tool and run it..
http://www.pegasi.com/MceRepair_0.2.zip
0
 
KlintanAuthor Commented:
My ehshell is not a malware it is a shell for media center.
I've tried various re-register and repair kits for media center. Do not remember if yours one among them. Will try this evening, thanks.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MereteCommented:
Hi Klintan, president Klintan I presume, couldnt resist.

Michial did you notice this in a non english language??
What have you installed here? English Media Center or some foreign, is this your media center?? Like Swedish?
MainBinaryVersion=5.1.2715.2883 (xpsp(wmbla).060409-2023)<<<<< MainbinaryVersion.. sounnds like the problem..

Backstack]
MediaCenter.FirstRun.QAlwaysOnInternetPage
MediaCenter.FirstRun.MetadataPage
MediaCenter.FirstRun.CustomerExperiencePage
MediaCenter.FirstRun.PrivacyStatementPage
MediaCenter.FirstRun.GettingStartedPage
MediaCenter.FirstRun.WelcomePage
---------------------
Händelsetyp: Fel
Händelsens källa:                Media Center Guide
Händelsekategori:               Ingen
Händelse-ID:                      0
Datum:                                2006-05-20
Tid:                                     15:30:00
Användare:                         Saknas
Dator:            DATOR01
Beskrivning:
Händelseinformation: InvalidCastException trying to create ehepgdat helper.
Process: DefaultDomain
Objektnamn: Microsoft.Ehome.Epg.Helper.EhepgdatHelper
====================================================================

I have just spent a few days helping another media center user, if I may just provide you with links.
I am exhausted with typing.

Media center full illistrated guide.
http://www.microsoft.com/windowsxp/mediacenter/using/music/enjoymusic.mspx

TVedia FAQ and troubleshooting guide
http://www.8dim.com/support/faq.asp

setting up tv..
http://www.microsoft.com/windowsxp/mediacenter/using/setup/default.mspx
http://www.microsoft.com/windowsxp/using/mce/default.mspx
FAQ
http://www.microsoft.com/windowsxp/mediacenter/evaluation/faq.mspx

windows media center recovery proceedure
http://www.fujitsu-siemens.co.uk/rl/servicesupport/techsupport/Consumer/MediaCenter/FAQ/MC_RecoveryProcedure.htm
http://support.gateway.com/s/SOFTWARE/Medialess/MLXPMC0/MLXPMC0nv.shtml


desperation
Remove Media Center, but keep XP
http://www.neowin.net/forum/index.php?http://www.neowin.net/forum/index.php?s=07d2fb92bb3ce363de2f64f70da73e95&showtopic=462415&pid=587523647&st=0&#entry587523647 

Merete
0
 
KlintanAuthor Commented:
It's a Dell installation. After talking to Dell support they told me to re-install Windows using recovery CD. The operating system is Windows XP pro with Media Center and (u'right) Swedish MUI.
Thanks for the links you provide, I will take a look at them.

Btw: Who is president Klintan? I have had this domain for many years now (klintan.se)
0
 
Mohammed HamadaSenior IT ConsultantCommented:
If you have reinstalled windows and still having the problem Remove the framework Updates and Use the following command:-

Start --> Run --> Sfc /scannow and enter "You might be prompted to insert windows XP CD, insert the CD and Wait for the process to be completed then restart your computer and Check..!)

Good luck
0
 
KlintanAuthor Commented:
The "System File Checker" was a good tip, thanks
0
 
MereteCommented:
lol Michael obviously you not have not heard of the famous trix with Monica Louwinsky and president Clinton.
If you had you may laughed too. Just some simple humour hey ;)
0
 
KlintanAuthor Commented:
That tool did a very good job. Thanks
0
 
MereteCommented:
great to hear Michael K
To prevent this from happening again
Please cover your self with these great free programs. With these up to date there is a very low chance.
Remember never open email attachments before they have been scanned.
AVG free
AVG AntiVirus offers maximum virus protection,
http://www.majorgeeks.com/download886.html

spyware blaster requires updating works with s&d spybot:
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://majorgeeks.com/download2859.html

Spybot Search and Destroy
http://www.pcworld.com/downloads/file_description/0,fid,22262,00.asp

Spyware Tools | HijackThis 1.99.1  updates by installing the latest versions.
http://www.majorgeeks.com/download3155.html

analyse site free, put your logs  here analyses immediately.
http://www.hijackthis.de/
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Merete, you are such a lovely one :X ;) lol
love the way you like to help ppl :D
0
 
MereteCommented:
gosh blush lol
that's why I am here :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now