Solved

Unknown Service Fails to Start

Posted on 2006-07-10
14
389 Views
Last Modified: 2010-05-18
The following error occurs with the "Ohcusen5ppp service".  What application is this service related to?  I have researched this via Microsoft's KB and Google, but to no avail.  I would like to either remove/reinstall the application that may be causing this error.

Thank you.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            7/10/2006
Time:            9:42:19 AM
User:            N/A
Computer:      JSM
Description:
The Ohcusen5ppp service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:jmanser
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 6

Expert Comment

by:kkattfish
ID: 17073111
did you see this page?  http://support.microsoft.com/default.aspx?scid=kb;en-us;314357
looks like it could be a rights issue for a program specific to users.  there is a resolution on that page as well.
as for the app though, i can't tell from the info. you posted.  
is there anything in your event log?
0
 

Author Comment

by:jmanser
ID: 17073204
thanks for responding... I will look at the above link.  i did copy the event log and pasted into the message.
0
 
LVL 38

Accepted Solution

by:
BillDL earned 85 total points
ID: 17073231
Have you done a file search for Ohcusen5ppp*.*  ?

Open the "Services" Management Console:
Start Menu > Run > and type services.msc > click OK.
Look down the list for any services that any that resemble the name of the service.
If none do, then double-click on each in turn and look at the name under "Service Name" at the top of the the "General" tab.

Once found, look at the description of the service and also check what other services are dependent on it, and what services it is dependent on.  This may give some clue as to what application created this service.

Look under the "Path To Executable" field of the service and let us know what it says.
0
 

Author Comment

by:jmanser
ID: 17073238
thanks, I am investigating and will post ASAP!
0
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 165 total points
ID: 17073254
Click on Start -> Run -> type MSCONFIG -> click on the Services tab -> put a check mark next to Hide all Microsoft Services, and see if any of the services remaining can be searched out on google.  If this doesn't help, then use the Startup tab of the same window to disable everything.  In Windows XP, just click on the button for Disable All. Reboot and see if the problem goes away.  If it does then re-enable the startup programs one (or a few) at a time, reboot, and when the problem occurs again, there is your culprit.

In Windows XP: If the problem continues to come up with all startup programs disabled, then it is probably a driver or service.  You can click on the Services tab in MSCONFIG, click on the button for Hide All Microsoft Services, leaving only third-party services displayed, then try turning them off in the same way you did for startup programs.  Finally, if third-party services are eliminated from being the cause of the problem, you could try narrowing down on Microsoft services in the same way.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 17073272
Hey, BillDL, I see you around the Win98 and WinME topic areas all the time.  Did you finally break down and get WinXP?
0
 

Author Comment

by:jmanser
ID: 17073566
To BillDL:  I should have mentioned that I already looked to see it there were any dependencies - there are none.  When I try to start the service, I get "error 3:  system cannot find path specified"
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:jmanser
ID: 17073703
Other actions taken so far:  search for Ohcusen5ppp*.* turns up nada.  Searching registry I found in HKLM/ControlSet001/Enum/Root/LEGACY_OHCUSEN5PPP/0000 - with following contents:

Class: LegacyDriver
ClassGUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

When I googled the ClassGuid, one of the top search results was from Symantec.  I followed the link and it suggests that I have a virus:  W32.Banish.A@mm.  I guess this is possible, though my AV is up to date and have recent scans with no viruses found.

Thanks
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 17073768
0
 

Author Comment

by:jmanser
ID: 17074428
Scan showed no viral/malware activity.

Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 17074828
Here's the Symantec page about that virus.  Try running the removal instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.banish.a@mm.html
0
 
LVL 38

Expert Comment

by:BillDL
ID: 17079500
Thank you, jmanser.

Yes, a registry search would have been my next suggestion.  Glad you pre-empted it.
It could be that this isn't a Virus, in the true sense of the word, but an "unwanted program" ie. Adware, Scumware, Pest - call it what you will.

Take a look at this McAfee page that discusses Adware called "Digital-Names":
http://vil.nai.com/vil/content/v_135063.htm
The registry details (under the "Characteristics" tab) match the format of what you seem to have:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<SOME NAME HERE>\0000

AntiVirus software won't necessarily catch all Adware, so I suggest instead running a dedicated Adware finding application like AdAware by Lavasoft:
http://www.lavasoftusa.com/software/adaware/

Perhaps Microsoft's offering in this field might help:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.pcworld.com/news/article/0,aid,119300,00.asp

Look at any of the \0000\ sub-keys under:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
and you will find the Sting Value:
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

For example, the legitimate "Remote Procedure Call" Service (RpcSs):

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000]
"Service"="RpcSs"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote Procedure Call (RPC)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000\Control]
"ActiveService"="RpcSs"

The "ClassGUID" {8ECC055D-047F-11D1-A537-0000F8753ED1} is the "LegacyDriver" Class, and that in itself is quite legitimate, it's just how it seems to have been misused.

It looks like rogue activities can just create a bogus name "LEGACY_???" for their service (possibly randomly named) and add it as a new sub-key to this proper "Root" key and others like:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
so that they all tie together and create a functional service.

In your case, obviously the service isn't fully functional, because it can't find something it needs, but you obviously have the registry entries that will continue to try and launch it as a Service until stopped.  Until then, it may be impossible to remove all the cross-related entries while the service is set to load.

eg.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OHCUSEN5PPP

You will no doubt get a massive number of hits searching for that ClassGUID name in google, but searching for "OHCUSEN5PPP" probably won't find anything (as I found also) IF the name is randomly created.
When I say "random", it obviously has to add the same details consistently to the registry keys needed to create the service, but I am referring to the one-off use of a name.  Perhaps it takes the name of an existing file or registry key and adds characters to it, or jumbles it up.

When I first saw "OHCUSEN5PPP", I thought of several associated things and wondered if you had typed a 5 instead of an S.  I wondered if the "ppp" part referred to the "Point to Point" transmission protocol.  I also wondered if the "ohcu" part was "ohci" (Open Host Controller Interface) mistyped.  Perhaps "Usen" was "User" from a non-English program.  In the end, I believe it is a one-off name designed to resemble something that makes us think that it MAY be a proper system-related one when seen as a running service.

I think the best thing you could do is to try and search cross-referenced registry entries starting from the service name, and export the containing keys to *.REG files.  This gives you a backup that can be restored, and also allows you to verify what an AntiSpyware/Adware program finds when run.

Bill.

LeeTutor
>>>
"Hey, BillDL, I see you around the Win98 and WinME topic areas all the time.  Did you finally break down and get WinXP?"
<<<
Take a look here: http://www.experts-exchange.com/M_897440.html
Perhaps that day has finally arrived :-)
Actually, I've had Windows XP for quite some time, but just prefer Win98se with the unofficial SP as my main OS for everyday use.  It seems that less people are now asking questions in that TA now, so I should move on.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 17079588
I meant to add details about that "LegacyDriver" ClassGUID:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}]
"Class"="LegacyDriver"
@="Non-Plug and Play Drivers"
"NoDisplayClass"="1"
"SilentInstall"="1"
"NoInstallClass"="1"
"EnumPropPages32"="SysSetup.Dll,LegacyDriverPropPageProvider"
"Icon"="-19"

There should be sub-keys of the {8ECC055D-047F-11D1-A537-0000F8753ED1} key named \0000 to \0026.
I don't know if it goes any higher than that on other XP systems, but that's where mine stops and each sub-key is empty.  Perhaps yours contains some rogue values that tie in with the other "Legacy"-related keys.

I think this just about sums up the likely places to look, although obviously the Display Name may differ, and may or may not show the extension:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Some_Name.ext>]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Some_Name.ext>\0000]
"DeviceDesc"="<Some_Name.ext>"
"Service"="<Some_Name.ext>"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\<Some_Name.ext>]
"DisplayName"="<Some_Name.ext>"
"ImagePath"=<path to file as hex or string-value>

If you can get the "ImagePath" value as a fully qualified path (double-click on value in Regedit or Right-Click > "Modify"), then it would give you an idea why the error shows "system cannot find the path specified" as it would give you a file name to search for.  The file may have been cached somewhere else, or may have been in a folder somewhere else.  If this folder isn't the "system" one (%SystemRoot%\System32), and is another non-system folder lurking somewhere and created when the service was originally created, then there may be other unwanted files in it.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 17079647
before getting too carried away on the notion that this IS a rogue service, we MUST still consider the very real possibility that this IS a legitimate, but orphaned leftover, from some legacy "device" that needed a "driver" and launched as a service.

When you see a "Legacy Device" named "BEEP" that launches as a service of that name, then anything is possible.
Look back at my musings about the possible derivations of the name "OHCUSEN5PPP", and imagine any previous hardware or software (now removed from the system) that could have related to "Open Host Controller" and "Point to Point Transmission Protocol".  A broadband usb modem???

Just expressing caution here ;-)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now