1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Illegal Operations, PLEASE HELP ME

Discussion in 'Virus & Other Malware Removal' started by Whittney, Dec 30, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. Whittney

    Whittney Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    2
    Please help me!! at startup I received at LEAST 22 Illegal operations messages. Here are 3: CPQDFWAG caused an invalid page fault in module WSOCK32.DLL at 016f:75fabba9., LUNDQ caused an invalid page fault in module KERNEL32.DLL at 016f:bff98adb., and AIVUA caused an invalid page fault in module AIVUA.EXE at 016f:00405891. Also, everytime I run something, Explorer performs an illegal operation. Here is another error message encountered concerning Explorer: CG132 caused an invalid page fault in module <unknown> at 0084:bff7a388. I dont understand why this is happening. My system performance also seems to be deteriorating. PLEASE HELP ME fix this problem!!!!
     
  2. brianF

    brianF

    Joined:
    Dec 2, 1999
    Messages:
    12,041
    try this for the CPQDF error

    Restart the system, when you do tap the F8 key.
    This will bring up the startup menu.
    To chose option 3 Safe mode type 3 then hit enter.
    Once the system is started, if you have Win98 click OK, WinME close the Help and Support window.
    Click start > run > type msconfig click ok.
    Click the Startup tab, it's at the top along with General, System.ini, Win.ini, etc.
    Remove the checkmark from CPQINET, and Connection Helper if it is there.
    Click OK.
    Click Yes to do you want to restart.
    Once the system is running in Windows again if it is ME put a check in "Do not show this dialog again" then click OK, 98 does not have this.
    You are done, and everything should be fine.
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I suspect you have infections with either the magistr or hybris worms or both.

    Please do an updated antivirus scan. An online one is available here:

    http://housecall.antivirus.com/pc_housecall/

    At some point you will need to replace the wsock32.dll which has probably been virus corrupted, see...

    http://www.claymania.com/wsock32-extraction.html

    If you've had the magistr worm it has probably placed files in your startup list which do not belong and may remain even after the worm has been "cleaned", since they are otherwise "legitimate" files.

    Download the startuplog.zip file from the site below. Run the startuplog.com file it contains and paste the entire contents of the startuplog.txt (not stubbpaths.txt) in your next reply.

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
     
  4. Whittney

    Whittney Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    2
    I did everything you guys said. WHen I ran the vrius check i did have around 40 files that were infected and all of which had to be deleted. How would I replace those files? Some are: wmytb.exe, lundq.exe, and aivua.exe. I receive a message at startup saying they cannot find these files. There is also one file that I cannot delete because it is in Use and I have no idea what it is: rtftx.exe. But so far all the other problems are solved. I attached the startuplog.txt because i didnt know what to put in here so i just attached the whole thing. But thank you for all of your help and if you can help with this please do. Thanks!!!! oh yea if u need anymore information ill be more than happy to provide it.
     

    Attached Files:

  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi,

    wmytb.exe, lundq.exe, and .exe are no Windows files, but are created by the virus, and they can be deleted.

    Took a look at your startuplog, and you should do 1 thing first:

    Go to Start/Run, and type Win.ini, then click OK.

    You'll see a line run=wmytb.exe, lundq.exe, uepf.exe, gnmj.exe, aivua.exe, itsrotg.exe, crtnvcoreesa.exe, ygsxpta.exe, uamwsy.exe, ikgcikien.exe, lvjvart.exe, kqjvr.exe, pmtdeshnvrfy.exe, dtdadgkdau.exe, mqvia.exe, peeojfael.exe, sweca.exe, menf.exe, rotsdclpo.exe, cokuojhugbuej.exe, fwmgvbmeam.exe, opdiipgsqqih.exe, qodwqjl.exe, eynsw.exe, yrdsl.exe, tscxjaxjcnuib.exe, ldfjxsttho.exe, rmdam.exe, yevavpahq.exe, okhnfwjioehkw.exe, rtftx.exe

    No wonder you're getting these errors.

    The run= line should be empty. This is all due to the virus.

    Delete everything after Run=, and go to File/save.

    Now close Win.ini, and reboot.
    You shouldn't get any of these errors any more.

    There's more harmful stuff among your startups , though,
    I'll get back to you with some further recommandations.

    Good luck,
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You have some serious spyware there, plus some stuff routinely responsible for causing errors, and slowing your machine down.
    Let's remove all unnecessary and harmful stuff from startup.

    Go to Start/run, and type msconfig.
    On the Startup tab, uncheck EVERYTHING, EXCEPT for the following items

    "LoadPowerProfile"="
    "AvconsoleEXE"
    "CPQEASYACC"="
    "EACLEAN"="
    "ScanRegistry"=
    "SystemTray"=
    "VsStatEXE"=
    "Vshwin32EXE"=
    "AccessRampMonitor"=(optional)
    "StillImageMonitor"="
    "hppwrsav"="
    "McAfeeWebScanX"
    "MSMSGS"="C: (optional)
    "MailCleaner" (optional)
    SchedulingAgent"=
    "LoadPowerProfile"=

    Click OK, close Msconfig, and reboot (important!)

    The items marked 'optional' aren't neccessary for Windows to run either, and you may experiment later by unchecking them as well.

    Now go to Software add/remove and remove Webhancer Agent.

    Reboot AGAIN.

    Download and install Ad-Aware . This is a program which scans your system for spyware.

    After having downloaded AAW, also download the latest Signature file (Reflist.sig) : http://www.lavasoftusa.net/aaw/binary/reflist.zip
    Unpack it to the Lavasoft Ad-Aware folder in Program Files, and have it overwrite the one that's there.

    Then have your drives and registry scanned for spyware, check all found files and reg keys, click continue, and have them removed.
    Reboot one last time.

    Now have your system scanned on line again at <A HREF="http://housecall.antivirus.com/">Trend Micro HouseCall </A>


    Good luck,
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/63573

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice