• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LarryM

User32 Illegal Operation

4 posts in this topic

Whenever I boot my W95 machine, it shows 2 popups. The first is labelled User32 and says, "Program has performed an illegal operation and will now shut down." In details, it refers to an invalid page fault. After closing the pop, a second shows labelled Error. It says, "Runtime error 216 at 00000013."

 

Also, I cannot install Ad-aware--the WISE Install window shows for a moment, then evaporates with no further activity. And I perceive the computer is running slower and hanging on occasion. (But it is a W95 200MHz...)

 

I had some malware problems, the Coolwebsearch hijacker and possibly some other things. I followed the directions by Mike in this FAQ and article: did complete virus search w new defs, I ran Spy Bot, CWShredder and, finally, HijackThis. The browser hijack is gone, but the User32 problem, and possible slowness/hanging continues.

 

Here is my HijackThis log. Note that I have not "fixed" any of the items yet though some are mentioned in Mike's pages. I am a little unclear (and wary) and await your advice.

 

Larry

 

Logfile of HijackThis v1.97.7

Scan saved at 11:54:02 PM, on 6/7/04

Platform: Windows 95 a (Win9x 4.00.1111)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\STBVisn.Exe

C:\WINDOWS\SYSTEM\MSWHEEL.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE

C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\MY DOCUMENTS\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [sTBVision] STBVisn.Exe

O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe

O4 - HKLM\..\Run: [TIPS] C:\MSINPUT\tips\mouse\tips.exe

O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe

O4 - HKLM\..\Run: [user Mansger] user32.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O13 - WWW. Prefix: http://

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...364/mcfscan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hello LarryM. I will be working with you to clean up your PC and try and resolve those error messages.

 

icon11.gif Ensure that you have all browser and application windows closed and run HijackThis

 

Click on the Scan button

Put a check beside the following line(s)

If your administrator (If on a network) has not set restrictions on Internet Explorer settings, or if you don't have software installed protecting changes to

 

Internet Explorer settings, check the following:

  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

The following 2 entries are loading at startup and are resource hogs. I strongly recommend that you let HijackThis fix them by checking the following:

  • O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  • O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

Click on the "Fix Checked" button

 

icon11.gif Now reboot your PC.

 

icon11.gif When your PC reboots, make sure you are set to

Show Hidden Files and Folders.

 

icon11.gif Search for user32.exe file:

  • Click on Start > Find > Files or Folders
  • Type user32.exe in the Named box
  • Set the Look In box to C:\
  • Make sure you check the box to Include Subfolders
  • Click the Find Now button

If your PC only finds one copy of the User32.exe file, please delete it.

 

If more than one file is found, please complete the following for each file:

  • Note the "In Folder" location from the search results
  • Right click each file and choose properties
  • Click on the version tab and note the Copyright, Company, and Product Name.

icon11.gif Reply to this thread with an updated HijackThis Log, the user32.exe information (if more than one copy found), and let me know if your problems persist.

 

Thanks!

Share this post


Link to post
Share on other sites

SMCKILLOP,

 

I followed your directions, including "fixing" all the Hijack This items that were optional. Upon reboot, the User32 error did not occur!

 

I also deleted the User32.exe file in c: There was only 1 file found. I ran Hijack This again and the log is pasted below.

 

As far as I can tell, I am back in business, but I will keep an eye on things and repost if I find the hanging issue again. Thank-you very much for the help. This is a great community that I didn't even know about (until disaster, of course)!

 

Larry

 

Logfile of HijackThis v1.97.7

Scan saved at 10:26:17 AM, on 6/9/04

Platform: Windows 95 a (Win9x 4.00.1111)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\STBVisn.Exe

C:\WINDOWS\SYSTEM\MSWHEEL.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE

C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\MY DOCUMENTS\SECURITYSTUFF\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [sTBVision] STBVisn.Exe

O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe

O4 - HKLM\..\Run: [TIPS] C:\MSINPUT\tips\mouse\tips.exe

O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...364/mcfscan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Great work LarryM! Your log is now clean!

 

icon11.gif I would recommend looking into the following to try and prevent future infections:

 

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.

http://www.wilderssecurity.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

And also see TonyKlein's good advice

So how did I get infected in the first place?

 

Thank you for using the SpywareInfo Forums!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0