Jump to content


Photo

User32 Illegal Operation


  • Please log in to reply
3 replies to this topic

#1 LarryM

LarryM

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 June 2004 - 07:45 AM

Whenever I boot my W95 machine, it shows 2 popups. The first is labelled User32 and says, "Program has performed an illegal operation and will now shut down." In details, it refers to an invalid page fault. After closing the pop, a second shows labelled Error. It says, "Runtime error 216 at 00000013."

Also, I cannot install Ad-aware--the WISE Install window shows for a moment, then evaporates with no further activity. And I perceive the computer is running slower and hanging on occasion. (But it is a W95 200MHz...)

I had some malware problems, the Coolwebsearch hijacker and possibly some other things. I followed the directions by Mike in this FAQ and article: did complete virus search w new defs, I ran Spy Bot, CWShredder and, finally, HijackThis. The browser hijack is gone, but the User32 problem, and possible slowness/hanging continues.

Here is my HijackThis log. Note that I have not "fixed" any of the items yet though some are mentioned in Mike's pages. I am a little unclear (and wary) and await your advice.

Larry

Logfile of HijackThis v1.97.7
Scan saved at 11:54:02 PM, on 6/7/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STBVisn.Exe
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [STBVision] STBVisn.Exe
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [TIPS] C:\MSINPUT\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [User Mansger] user32.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 09 June 2004 - 09:36 AM

Hello LarryM. I will be working with you to clean up your PC and try and resolve those error messages.

Posted Image Ensure that you have all browser and application windows closed and run HijackThis

Click on the Scan button
Put a check beside the following line(s)
  • O4 - HKLM\..\Run: [User Mansger] user32.exe
  • O13 - WWW. Prefix: http://
  • O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.bi....chm::/load.exe
If your administrator (If on a network) has not set restrictions on Internet Explorer settings, or if you don't have software installed protecting changes to

Internet Explorer settings, check the following:
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
The following 2 entries are loading at startup and are resource hogs. I strongly recommend that you let HijackThis fix them by checking the following:
  • O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  • O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Click on the "Fix Checked" button

Posted Image Now reboot your PC.

Posted Image When your PC reboots, make sure you are set to
Show Hidden Files and Folders.

Posted Image Search for user32.exe file:
  • Click on Start > Find > Files or Folders
  • Type user32.exe in the Named box
  • Set the Look In box to C:\
  • Make sure you check the box to Include Subfolders
  • Click the Find Now button
If your PC only finds one copy of the User32.exe file, please delete it.

If more than one file is found, please complete the following for each file:
  • Note the "In Folder" location from the search results
  • Right click each file and choose properties
  • Click on the version tab and note the Copyright, Company, and Product Name.
Posted Image Reply to this thread with an updated HijackThis Log, the user32.exe information (if more than one copy found), and let me know if your problems persist.

Thanks!
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo

#3 LarryM

LarryM

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 June 2004 - 10:37 AM

SMCKILLOP,

I followed your directions, including "fixing" all the Hijack This items that were optional. Upon reboot, the User32 error did not occur!

I also deleted the User32.exe file in c: There was only 1 file found. I ran Hijack This again and the log is pasted below.

As far as I can tell, I am back in business, but I will keep an eye on things and repost if I find the hanging issue again. Thank-you very much for the help. This is a great community that I didn't even know about (until disaster, of course)!

Larry

Logfile of HijackThis v1.97.7
Scan saved at 10:26:17 AM, on 6/9/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STBVisn.Exe
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\SECURITYSTUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsof...ss/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [STBVision] STBVisn.Exe
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [TIPS] C:\MSINPUT\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 09 June 2004 - 08:26 PM

Great work LarryM! Your log is now clean!

Posted Image I would recommend looking into the following to try and prevent future infections:

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Thank you for using the SpywareInfo Forums!
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button