Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 400
  • Last Modified:

Unknown Service Fails to Start

The following error occurs with the "Ohcusen5ppp service".  What application is this service related to?  I have researched this via Microsoft's KB and Google, but to no avail.  I would like to either remove/reinstall the application that may be causing this error.

Thank you.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            7/10/2006
Time:            9:42:19 AM
User:            N/A
Computer:      JSM
Description:
The Ohcusen5ppp service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
jmanser
Asked:
jmanser
  • 5
  • 4
  • 3
  • +2
2 Solutions
 
kkattfishCommented:
did you see this page?  http://support.microsoft.com/default.aspx?scid=kb;en-us;314357
looks like it could be a rights issue for a program specific to users.  there is a resolution on that page as well.
as for the app though, i can't tell from the info. you posted.  
is there anything in your event log?
0
 
jmanserAuthor Commented:
thanks for responding... I will look at the above link.  i did copy the event log and pasted into the message.
0
 
BillDLCommented:
Have you done a file search for Ohcusen5ppp*.*  ?

Open the "Services" Management Console:
Start Menu > Run > and type services.msc > click OK.
Look down the list for any services that any that resemble the name of the service.
If none do, then double-click on each in turn and look at the name under "Service Name" at the top of the the "General" tab.

Once found, look at the description of the service and also check what other services are dependent on it, and what services it is dependent on.  This may give some clue as to what application created this service.

Look under the "Path To Executable" field of the service and let us know what it says.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jmanserAuthor Commented:
thanks, I am investigating and will post ASAP!
0
 
LeeTutorretiredCommented:
Click on Start -> Run -> type MSCONFIG -> click on the Services tab -> put a check mark next to Hide all Microsoft Services, and see if any of the services remaining can be searched out on google.  If this doesn't help, then use the Startup tab of the same window to disable everything.  In Windows XP, just click on the button for Disable All. Reboot and see if the problem goes away.  If it does then re-enable the startup programs one (or a few) at a time, reboot, and when the problem occurs again, there is your culprit.

In Windows XP: If the problem continues to come up with all startup programs disabled, then it is probably a driver or service.  You can click on the Services tab in MSCONFIG, click on the button for Hide All Microsoft Services, leaving only third-party services displayed, then try turning them off in the same way you did for startup programs.  Finally, if third-party services are eliminated from being the cause of the problem, you could try narrowing down on Microsoft services in the same way.
0
 
LeeTutorretiredCommented:
Hey, BillDL, I see you around the Win98 and WinME topic areas all the time.  Did you finally break down and get WinXP?
0
 
jmanserAuthor Commented:
To BillDL:  I should have mentioned that I already looked to see it there were any dependencies - there are none.  When I try to start the service, I get "error 3:  system cannot find path specified"
0
 
jmanserAuthor Commented:
Other actions taken so far:  search for Ohcusen5ppp*.* turns up nada.  Searching registry I found in HKLM/ControlSet001/Enum/Root/LEGACY_OHCUSEN5PPP/0000 - with following contents:

Class: LegacyDriver
ClassGUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

When I googled the ClassGuid, one of the top search results was from Symantec.  I followed the link and it suggests that I have a virus:  W32.Banish.A@mm.  I guess this is possible, though my AV is up to date and have recent scans with no viruses found.

Thanks
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
0
 
jmanserAuthor Commented:
Scan showed no viral/malware activity.

Thanks
0
 
LeeTutorretiredCommented:
Here's the Symantec page about that virus.  Try running the removal instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.banish.a@mm.html
0
 
BillDLCommented:
Thank you, jmanser.

Yes, a registry search would have been my next suggestion.  Glad you pre-empted it.
It could be that this isn't a Virus, in the true sense of the word, but an "unwanted program" ie. Adware, Scumware, Pest - call it what you will.

Take a look at this McAfee page that discusses Adware called "Digital-Names":
http://vil.nai.com/vil/content/v_135063.htm
The registry details (under the "Characteristics" tab) match the format of what you seem to have:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<SOME NAME HERE>\0000

AntiVirus software won't necessarily catch all Adware, so I suggest instead running a dedicated Adware finding application like AdAware by Lavasoft:
http://www.lavasoftusa.com/software/adaware/

Perhaps Microsoft's offering in this field might help:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.pcworld.com/news/article/0,aid,119300,00.asp

Look at any of the \0000\ sub-keys under:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
and you will find the Sting Value:
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

For example, the legitimate "Remote Procedure Call" Service (RpcSs):

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000]
"Service"="RpcSs"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Remote Procedure Call (RPC)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000\Control]
"ActiveService"="RpcSs"

The "ClassGUID" {8ECC055D-047F-11D1-A537-0000F8753ED1} is the "LegacyDriver" Class, and that in itself is quite legitimate, it's just how it seems to have been misused.

It looks like rogue activities can just create a bogus name "LEGACY_???" for their service (possibly randomly named) and add it as a new sub-key to this proper "Root" key and others like:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
so that they all tie together and create a functional service.

In your case, obviously the service isn't fully functional, because it can't find something it needs, but you obviously have the registry entries that will continue to try and launch it as a Service until stopped.  Until then, it may be impossible to remove all the cross-related entries while the service is set to load.

eg.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OHCUSEN5PPP

You will no doubt get a massive number of hits searching for that ClassGUID name in google, but searching for "OHCUSEN5PPP" probably won't find anything (as I found also) IF the name is randomly created.
When I say "random", it obviously has to add the same details consistently to the registry keys needed to create the service, but I am referring to the one-off use of a name.  Perhaps it takes the name of an existing file or registry key and adds characters to it, or jumbles it up.

When I first saw "OHCUSEN5PPP", I thought of several associated things and wondered if you had typed a 5 instead of an S.  I wondered if the "ppp" part referred to the "Point to Point" transmission protocol.  I also wondered if the "ohcu" part was "ohci" (Open Host Controller Interface) mistyped.  Perhaps "Usen" was "User" from a non-English program.  In the end, I believe it is a one-off name designed to resemble something that makes us think that it MAY be a proper system-related one when seen as a running service.

I think the best thing you could do is to try and search cross-referenced registry entries starting from the service name, and export the containing keys to *.REG files.  This gives you a backup that can be restored, and also allows you to verify what an AntiSpyware/Adware program finds when run.

Bill.

LeeTutor
>>>
"Hey, BillDL, I see you around the Win98 and WinME topic areas all the time.  Did you finally break down and get WinXP?"
<<<
Take a look here: http://www.experts-exchange.com/M_897440.html
Perhaps that day has finally arrived :-)
Actually, I've had Windows XP for quite some time, but just prefer Win98se with the unofficial SP as my main OS for everyday use.  It seems that less people are now asking questions in that TA now, so I should move on.
0
 
BillDLCommented:
I meant to add details about that "LegacyDriver" ClassGUID:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}]
"Class"="LegacyDriver"
@="Non-Plug and Play Drivers"
"NoDisplayClass"="1"
"SilentInstall"="1"
"NoInstallClass"="1"
"EnumPropPages32"="SysSetup.Dll,LegacyDriverPropPageProvider"
"Icon"="-19"

There should be sub-keys of the {8ECC055D-047F-11D1-A537-0000F8753ED1} key named \0000 to \0026.
I don't know if it goes any higher than that on other XP systems, but that's where mine stops and each sub-key is empty.  Perhaps yours contains some rogue values that tie in with the other "Legacy"-related keys.

I think this just about sums up the likely places to look, although obviously the Display Name may differ, and may or may not show the extension:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Some_Name.ext>]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Some_Name.ext>\0000]
"DeviceDesc"="<Some_Name.ext>"
"Service"="<Some_Name.ext>"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\<Some_Name.ext>]
"DisplayName"="<Some_Name.ext>"
"ImagePath"=<path to file as hex or string-value>

If you can get the "ImagePath" value as a fully qualified path (double-click on value in Regedit or Right-Click > "Modify"), then it would give you an idea why the error shows "system cannot find the path specified" as it would give you a file name to search for.  The file may have been cached somewhere else, or may have been in a folder somewhere else.  If this folder isn't the "system" one (%SystemRoot%\System32), and is another non-system folder lurking somewhere and created when the service was originally created, then there may be other unwanted files in it.
0
 
BillDLCommented:
before getting too carried away on the notion that this IS a rogue service, we MUST still consider the very real possibility that this IS a legitimate, but orphaned leftover, from some legacy "device" that needed a "driver" and launched as a service.

When you see a "Legacy Device" named "BEEP" that launches as a service of that name, then anything is possible.
Look back at my musings about the possible derivations of the name "OHCUSEN5PPP", and imagine any previous hardware or software (now removed from the system) that could have related to "Open Host Controller" and "Point to Point Transmission Protocol".  A broadband usb modem???

Just expressing caution here ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now