restricted control panel access

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
I can't get into control panel or internet options. Message "The operation has been cancelled due to restrictions in effect on this computer. Please contact system administrator." This is a home stand-alone xp desktop. My son was trying to run some new virus-fighting software (go figure). My speed is real slow now too.

I went to msconfig and stopped all bootup processes. Helped a little with the speed. Still no access.

Thanks for any help with this. I'm at a loss on where to go.

Boatboy:confused:
 

Frank4d

Retired Trusted Advisor
Joined
Sep 10, 2006
Messages
9,126
This error message is many times caused by malware on your PC. To help us determine if that is the case download hijackthis here:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click Edit > Select All> Edit > Copy to copy the entire contents of the log.
Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Please wait for a qualified malware expert to assist you with your log.
 

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
Frank4d,

First of all, thanks for taking your time with me. Really appreciated.
After 8 lines, scan stops at
04-HKCU\...\run:[ectaskpanel]"c:\programfiles\earthlinktotalaccess\taskpanel.exe"-winstart

and

error message box stating: "this action cannot be completed because the other application is busy. Choose 'switch to' to activate the other application and correct the problem." Hitting 'switch to' goes nowhere.

There is nothing else open or running at this point.

boatboy.
 
Joined
Nov 4, 2007
Messages
175
Yah....that program sucks...had nothin but trouble with it.

If you still can, Try accessing task manager, im assuming though since its alreayd infected your admin rights that your task manager is unable to be accessed 2.

If you cant access task manager right now, Shut your PC down, and start it back up, right after (i mean right after) the welcome screen goes away and your desktop background is the only thing showing, hit CTRL ATL Del to open up the taks manager and that should work.

End everything in the processes tab that isnt either ran by the system (a system operation) or you no what the program is. That will save you for that startup moment...but once you shut down and restart you will have to do it all again lol.

Get AVG Malware scanner. it doesnt get affected by virus or spyware so it will always work.

If its the spyware program im thinkin of that you got, if you dont stop it quickly your screwed...thats the short story...
 

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
finally got hijack to run.

Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:46 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\FlexLM\lmgrd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\FlexLM\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\FlexLM\adskflex.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\imapi.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-21-4235985134-1589623675-2718085120-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4235985134-1589623675-2718085120-1005\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Unknown owner - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE (file missing)
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\FlexLM\lmgrd.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4204 bytes
 
Joined
Nov 4, 2007
Messages
175
sulimo.dat is a comman target for trojans, so i would check to see if that is the problem, (Check this thread Here)

Other then that i see nothing that could be wrong. Either hijack didnt get the file or your not the admin of the computer and whoever is disabled the use of it lol...but if your not 10 then i doubt thats the case...unless your wife doesnt trust you ;)
 

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
ChemicalMonkey,
Sorry to disappoint you but Mrs Boatboy isn't the problem.
I did have a teenage son fooling around with the computer before this happened. Can I blame it on him?
How do I remove sulimo.dat? This is a stand-alone at-home computer.
Thanks for your help
Boatboy
 

Frank4d

Retired Trusted Advisor
Joined
Sep 10, 2006
Messages
9,126
Regular members are not allowed to assist with malware issues, so I have asked the Mods to move this to the Malware Removal forum where the experts there can help you.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click Non-Microsoft
    • In the Win32 Services group click Non-Microsoft
    • In the Driver Services group click Non-Microsoft
    • In the Registry group click ALL
    • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
    • In the File String Search group select ALL
    in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here . I will review it when it comes in.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
step 1

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

step 2

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Unregister Dlls]
[Registry - All]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoControlPanel -> 1
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0
[Registry - Additional Scans - All]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> SpywareBot -> %ProgramFiles%\SpywareBot\SpywareBot.exe
< Software Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\policies\
YN -> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Connwiz Admin Lock -> 0
[Files/Folders - Created Within 30 days]
NY -> SETAA.tmp -> %SystemRoot%\SETAA.tmp
NY -> SETAD.tmp -> %SystemRoot%\SETAD.tmp
NY -> SETB9.tmp -> %SystemRoot%\SETB9.tmp
NY -> xlavba6.exe -> %SystemRoot%\xlavba6.exe
NY -> SpywareBot Scheduled Scan.job -> %SystemRoot%\tasks\SpywareBot Scheduled Scan.job
NY -> SpywareBot -> %UserAppData%\SpywareBot
[Empty Temp Folders]
[Reboot]
The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots


Post the following back here:

a new WinPFind3U report
the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
 

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
They sure are cute. I don't think we have them in the US, do we?


SDFix: Version 1.114

Run by bosshog on Sat 11/10/2007 at 09:13 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 21:22:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE"="C:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE:*:Enabled:Database Service Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 15 Nov 2005 78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Finished!
 

Attachments

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
and please post the report that winpfind should have made
 

boatboy

Thread Starter
Joined
Oct 31, 2007
Messages
15
Sorry it took so long. She's running 100 times slower than normal, every command takes 3 minutes to execute.

Thanks again. My wife knew all about the hedgehogs so I've pointed her top the website.

Bob


[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoControlPanel not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
[Registry - Additional Scans - All]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpywareBot not found.
File not found.
Registry value HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Connwiz Admin Lock deleted successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\SETAA.tmp moved successfully.
C:\WINDOWS\SETAD.tmp moved successfully.
C:\WINDOWS\SETB9.tmp moved successfully.
C:\WINDOWS\xlavba6.exe moved successfully.
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job moved successfully.
C:\Documents and Settings\bosshog\Application Data\SpywareBot\Settings moved successfully.
C:\Documents and Settings\bosshog\Application Data\SpywareBot\Log moved successfully.
C:\Documents and Settings\bosshog\Application Data\SpywareBot moved successfully.
[Empty Temp Folders]
C:\DOCUME~1\bosshog\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\bosshog\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 11/11/2007 10:17:46
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
have you got control panel back yet

when did it start going slow

during the fix or before
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top