• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
shortstop

"Windows error service" popup

5 posts in this topic

I have the "Windows error service" popup that tries to take me to a "noadware" web site to download their stuff.

Also get: “iexplore.exe - Application Error. The application failed to initialize properly (0xc0000142)...” popup.

The HijackThis file is below. The 04 SuperBar Component and AdRotator and a couple of other things have been "fixed" in HJT, only to regenrate with each reboot.

Need help to *permanently* get these things off. I'm willing to go through several diagnostic steps. Thanks for considering this problem.

 

here's the file:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:18:00 PM, on 6/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\SxgTkBar.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\WINDOWS\essspk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\FSScrCtl.exe

C:\WINDOWS\system32\arpa.exe

C:\Program Files\AnalogX\CookieWall\cookie.exe

C:\WINDOWS\services.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\arpa.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\arpa.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\cidaemon.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldaily.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b

O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://*.mt-download.com

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.0042013889

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Here is more info on this same problem:

 

Each reboot of XP Pro seems to reactivate bad files and processes that were previously deleted. Is something altering my registy on startup? The result is spyware popus (windows error service; noadware).

Some of the facts:

 

-- some of the files involved are arpa.exe and bhui.exe in system 32, the inetsrv folder of system 32, csrss.exe in drivers folder, and a couple of others.

-- booting into safe mode keeps these from reappearing. BUT if I then try to run regedit (which I really am afraid to do), regedit will not run (hourglass appears and then stops, never opens) *AND* the deleted files mentioned above reappear at that point.

-- booting into normal mode causes these files (and resulting popus) every time.

-- on my Taskmanager, I can see regedit run as one of the process on startup -- that's not right is it??

-- I can manually end the above processes, delete those files, "fix" the bad registry item in Adaware, and then the machine runs smoothly for that session. BUT I have to do that after each and every bootup. AAAAHHHHH!

 

Log as directly above. Thanks for taking a look.

Share this post


Link to post
Share on other sites

Hi there. I too had this terrible problem, my regedit, and notepad would reinstall the nasties after I would get rid of them. So I searched my hardrive for files that were accessed and created on the day my problem started, in my case the files were created on 6/18/2004 at 9:36AM.

 

So you can try a search of your hard drive for files that were created and that match the dates and times you first started having problems, if you can remeber the date of course. Anyway In my case I found the following duplicate files that seem to be responsible for the trojans reinstalling on my system. I found them in my WINDOWS directory all created on 6/18/2004 at 9:36AM, the files were

 

NOTEPAD.EXE, PING.EXE, REGEDIT.EXE, WORDPAD.EXE. **remember these are duplicate files I found and they will match the date the trojan installed on your system, don't delete your legit files of the same name.**

 

I deleted those duplicate files and the the problem with the trojans reinstalling on reboot seemed to stop, except my real NOTEPAD.exe would still install all the trojan files again. So I checked the date it was created and it seemed to be legit other than it said it was modified 6/18/2004 at 9:36AM. I figure maybe the trojan/virus somehow must have altered it. I ended up copying a NOTEPAD.EXE from my WINDOWS folder and pasting it in my WINDOWS/SYSTEM32 folder and let it replace the altered NOTEPAD, seems to have fixed it for me. Also be sure to turn on show hidden files just incase they are hidden on your system.

 

Hope this makes sense and helps you in some way as I'm not much of a tech person :)

Edited by sarahmartini

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)

 

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

 

O15 - Trusted Zone: http://*.mt-download.com

 

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

Reboot and delete

 

files

C:\WINDOWS\system32\drivers\csrss.exe

 

folders

C:\WINDOWS\system32\inetsrv

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Thanks. Problem solved. The clue from sarahmartini was golden. The updated Adaware actually finds and removes this popup. But I also had the bad regedit.exe, notepad.exe, wordpad.exe, etc. So each reboot, the regedit would reinstall the bad stuff. I found that, but then each time notepad would run, the bad stuff would install again. That means every time I tried to save a Hijack This log (*.log files are opened with notepad), the bad files would be installed again. Getting rid of those .exe files was the key.

Also, this is a big clue to anyone who cannot open their Hijack This files. (I didn't think anything at first, because I just used Word to open the *.log file.)

Don't let the bad guys win!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0