[acampagne]

Hi all. I'm running win2k pro on an older machine (around .8 ghz). I keep my machine very clean and protected to the best of my ability. A few days ago, while visiting a website I received a small box popup asking if I wanted to receive "free [bleep]". I just clicked the "x" on the window and once I did, my entire browser shut down. When I went to restart it, It gave me this:

The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

I restarted the system...and OE is missing and it still will not work. I reinstalled IE6...nothing. I use the IE repair tool...nothing. I tried to uninstall IE6, but ended up having to use IEradicator to remove it. I was up and running with IE5.5, but as soon as I upgrade to 6 I receive the same error. Furthermore, while I'm here with firefox, I cannot use microsoft update, and my scheduled updates are not working.

Can anyone help?

Edited by acampagne, 12 December 2005 - 05:43 PM.

[Advertisements]

Hi acampagne,

If you know which website it was can you PM me the URL please?

Click Start > Run > and copy this command:
regedit.exe /e C:\RPCKDM.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM"
> then click OK to execute.

This should create the file:
C:\RPCKDM.txt
Save that file as a backup for what we are about to remove.

Open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM]


Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot and open your Internet Explorer.
Let me know if that solved the problem.

Regards,

[Metallica]

Hi acampagne,

If you know which website it was can you PM me the URL please?

Click Start > Run > and copy this command:
regedit.exe /e C:\RPCKDM.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM"
> then click OK to execute.

This should create the file:
C:\RPCKDM.txt
Save that file as a backup for what we are about to remove.

Open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM]


Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot and open your Internet Explorer.
Let me know if that solved the problem.

Regards,

[acampagne]

Thank you very much. I've been messing with this for two weeks! Could you tell me what likely happened? Its really been driving me nuts.

EDIT:
I just noticed that I cannot use HijackThis. Is that a result of this or a sign of a deeper issue?

Edited by acampagne, 17 December 2005 - 07:56 PM.

[Metallica]

What likely happened is that a popup destroyed your IE.

If you are like the other victims you will be running Windows 2000 and IE SP1

We are looking for the offending site(s) or popups to figure out what exactly happens, but it looks as if a non-existing service is created in the registry.
The values for it are in hex, always different and don't make any sense.
Which is probably why IE crashes.

The problem with HijackThis is probably unrelated, since I never heard that before.

Can you try this method?

Can you download this customized version of HijackThis:
HJT + extra

and follow the instructions here to post a both.log
metallica site#BOTHLOG

Regards,

[acampagne]

I downloaded the program successfully, however, I still receive "unexpected error" when I attempt to run it.

[Metallica]

We'll try another program that does something similar.

Download Silentrunners from HERE

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Regards,

[acampagne]

Okay, here's the log:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiS KHooker" = "F:\WINNT\System32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"vptray" = "F:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"HP CD-Writer" = "F:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe" [null data]
"POINTER" = "point32.exe" [MS]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"gcasServ" = ""F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NvCplDaemon" = "RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE F:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"THGuard" = ""F:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""F:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\thumbvw.dll" [file not found]
"{EAB841A0-9550-11CF-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\thumbvw.dll" [file not found]
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" = "Office Graphics Filters Thumbnail Extractor"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\thumbvw.dll" [file not found]
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\thumbvw.dll" [file not found]
"{500202A0-731E-11D0-B829-00C04FD706EC}" = "LNK file thumbnail interface delegator"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\System32\thumbvw.dll" [file not found]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\apppatch\slayerui.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "F:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TrojanHunter 4.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "F:\WINNT\System32\NavLogon.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TrojanHunter 4.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TrojanHunter 4.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TrojanHunter 4.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "F:\WINNT\system32\ssstars.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "F:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
INFECTION WARNING! "Reboot.exe" [null data]
"Trend Micro Anti-Spyware" -> shortcut to: "F:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DefWatch, DefWatch, "F:\Program Files\NavNT\defwatch.exe" ["Symantec Corporation"]
ewido security suite control, ewido security suite control, "F:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
HID Input Service, HidServ, "F:\WINNT\system32\hidserv.exe" [MS]
Machine Debug Manager, MDM, ""F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, "F:\Program Files\NavNT\rtvscan.exe" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "F:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 115 seconds, including 18 seconds for message boxes)

[Metallica]

The log looks clean enough.

Please download and run VB runtime files following the link here:
http://www.microsoft...&displaylang=en

Choose the correct language if you OS is not english.

Then try running HijackThis again.
I think it will work after that, but it may take a reboot for the changes to take effect.

Regards,

[acampagne]

That definately seemed to do the trick. One last thing from my original post. I still cannot get microsoft update to work. I've tried updating through the website where I receive this message

[Error number: 0x8024402F]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

I've also configured my auto updates to download and prompt me to install before I go to work in the morning and I have yet to receive any.

If I have to start a new thread I understand. In any event, thank you VERY much for all of your help.

Edited by acampagne, 20 December 2005 - 06:11 PM.

[Metallica]

The best answer I could find for that error. Credit goes to felllow MVP "TaurArian"

Suggestion 1:-
Clearing Temporary Internet files, cookies and history in Internet Explorer
Tools>Internet Options>General
You’ll see Delete Cookies, Delete files, Delete History
NB: "Delete all offline content", will delete all files needed to browse the
websites offline.
Reboot and try Windows Update again.

Suggestion 2:-
The below links assist you in checking your system for parasites:-
http://aumha.org/a/noads.htm
http://inetexplorer....org/tshoot.html
Please note that some malware may kill the internet connection when it is
removed,
the program on the link below will enable you to regain the internet
connection.
http://www.cexx.org/lspfix.htm

Spyware Programs links:-
www.lavasoftusa.com Ad-Aware
www.security.kolla.de Spybot

Suggestion 3:-
Make sure you haven’t got anything blocking Windows Update like Nortons,
Zonealarm etc
Also make sure you don’t have a Web Accelerator working in the background
such as NetZerio, HiSpeed, Speedband etc.

Suggestion 4:
If still receiving the error, then reinstall the Windows Update Engine
http://download.wind...Agent20-x86.exe

In my humble opinion I think you should look at suggestion 3 first, since it is the most common cause.

Regards,