1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

restricted control panel access

Discussion in 'Virus & Other Malware Removal' started by boatboy, Nov 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    I can't get into control panel or internet options. Message "The operation has been cancelled due to restrictions in effect on this computer. Please contact system administrator." This is a home stand-alone xp desktop. My son was trying to run some new virus-fighting software (go figure). My speed is real slow now too.

    I went to msconfig and stopped all bootup processes. Helped a little with the speed. Still no access.

    Thanks for any help with this. I'm at a loss on where to go.

    Boatboy:confused:
     
  2. Frank4d

    Frank4d Retired Trusted Advisor

    Joined:
    Sep 10, 2006
    Messages:
    9,126
    This error message is many times caused by malware on your PC. To help us determine if that is the case download hijackthis here:

    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

    Save HJTsetup.exe to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.

    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click Edit > Select All> Edit > Copy to copy the entire contents of the log.
    Paste the log in your next reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Please wait for a qualified malware expert to assist you with your log.
     
  3. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    Frank4d,

    First of all, thanks for taking your time with me. Really appreciated.
    After 8 lines, scan stops at
    04-HKCU\...\run:[ectaskpanel]"c:\programfiles\earthlinktotalaccess\taskpanel.exe"-winstart

    and

    error message box stating: "this action cannot be completed because the other application is busy. Choose 'switch to' to activate the other application and correct the problem." Hitting 'switch to' goes nowhere.

    There is nothing else open or running at this point.

    boatboy.
     
  4. ChemicalMonkey

    ChemicalMonkey

    Joined:
    Nov 4, 2007
    Messages:
    175
    Yah....that program sucks...had nothin but trouble with it.

    If you still can, Try accessing task manager, im assuming though since its alreayd infected your admin rights that your task manager is unable to be accessed 2.

    If you cant access task manager right now, Shut your PC down, and start it back up, right after (i mean right after) the welcome screen goes away and your desktop background is the only thing showing, hit CTRL ATL Del to open up the taks manager and that should work.

    End everything in the processes tab that isnt either ran by the system (a system operation) or you no what the program is. That will save you for that startup moment...but once you shut down and restart you will have to do it all again lol.

    Get AVG Malware scanner. it doesnt get affected by virus or spyware so it will always work.

    If its the spyware program im thinkin of that you got, if you dont stop it quickly your screwed...thats the short story...
     
  5. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    finally got hijack to run.

    Here is the log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:09:46 AM, on 11/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\FlexLM\lmgrd.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\FlexLM\lmgrd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\FlexLM\adskflex.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKUS\S-1-5-21-4235985134-1589623675-2718085120-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-4235985134-1589623675-2718085120-1005\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Unknown owner - C:\PROGRA~1\EARTHL~1\PROTEC~1\EFWPPS~1.EXE (file missing)
    O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\FlexLM\lmgrd.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4204 bytes
     
  6. ChemicalMonkey

    ChemicalMonkey

    Joined:
    Nov 4, 2007
    Messages:
    175
    sulimo.dat is a comman target for trojans, so i would check to see if that is the problem, (Check this thread Here)

    Other then that i see nothing that could be wrong. Either hijack didnt get the file or your not the admin of the computer and whoever is disabled the use of it lol...but if your not 10 then i doubt thats the case...unless your wife doesnt trust you ;)
     
  7. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    ChemicalMonkey,
    Sorry to disappoint you but Mrs Boatboy isn't the problem.
    I did have a teenage son fooling around with the computer before this happened. Can I blame it on him?
    How do I remove sulimo.dat? This is a stand-alone at-home computer.
    Thanks for your help
    Boatboy
     
  8. Frank4d

    Frank4d Retired Trusted Advisor

    Joined:
    Sep 10, 2006
    Messages:
    9,126
    Regular members are not allowed to assist with malware issues, so I have asked the Mods to move this to the Malware Removal forum where the experts there can help you.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,916
    First Name:
    Derek
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  10. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    Thanks for your time Derek. This is one big file. Good luck.

    Boatboy:)

    >
     

    Attached Files:

  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,916
    First Name:
    Derek
    step 1

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    step 2

    WinPFind3 Fix -


    Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Unregister Dlls]
    [Registry - All]
    < CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoControlPanel -> 1
    < CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0
    [Registry - Additional Scans - All]
    < BotCheck > -> 
    YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019
    < Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
    YN -> SpywareBot -> %ProgramFiles%\SpywareBot\SpywareBot.exe
    < Software Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\policies\
    YN -> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Connwiz Admin Lock -> 0
    [Files/Folders - Created Within 30 days]
    NY -> SETAA.tmp -> %SystemRoot%\SETAA.tmp
    NY -> SETAD.tmp -> %SystemRoot%\SETAD.tmp
    NY -> SETB9.tmp -> %SystemRoot%\SETB9.tmp
    NY -> xlavba6.exe -> %SystemRoot%\xlavba6.exe
    NY -> SpywareBot Scheduled Scan.job -> %SystemRoot%\tasks\SpywareBot Scheduled Scan.job
    NY -> SpywareBot -> %UserAppData%\SpywareBot
    [Empty Temp Folders]
    [Reboot]
    
    
    The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    when it reboots


    Post the following back here:

    a new WinPFind3U report
    the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  12. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    They sure are cute. I don't think we have them in the US, do we?


    SDFix: Version 1.114

    Run by bosshog on Sat 11/10/2007 at 09:13 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    No Trojan Files Found




    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-10 21:22:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 2


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
    "C:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE"="C:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE:*:Enabled:Database Service Manager"
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
    "C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
    "C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
    "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:mad:xpsp2res.dll,-22019"

    Remaining Files:
    ---------------


    Files with Hidden Attributes:

    Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
    Tue 15 Nov 2005 78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
    Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

    Finished!
     

    Attached Files:

  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,916
    First Name:
    Derek
    and please post the report that winpfind should have made
     
  14. boatboy

    boatboy Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    15
    Sorry it took so long. She's running 100 times slower than normal, every command takes 3 minutes to execute.

    Thanks again. My wife knew all about the hedgehogs so I've pointed her top the website.

    Bob


    [Registry - All]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoControlPanel not found.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
    [Registry - Additional Scans - All]
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpywareBot not found.
    File not found.
    Registry value HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Connwiz Admin Lock deleted successfully.
    [Files/Folders - Created Within 30 days]
    C:\WINDOWS\SETAA.tmp moved successfully.
    C:\WINDOWS\SETAD.tmp moved successfully.
    C:\WINDOWS\SETB9.tmp moved successfully.
    C:\WINDOWS\xlavba6.exe moved successfully.
    C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job moved successfully.
    C:\Documents and Settings\bosshog\Application Data\SpywareBot\Settings moved successfully.
    C:\Documents and Settings\bosshog\Application Data\SpywareBot\Log moved successfully.
    C:\Documents and Settings\bosshog\Application Data\SpywareBot moved successfully.
    [Empty Temp Folders]
    C:\DOCUME~1\bosshog\LOCALS~1\Temp\ -> emptied.
    C:\Documents and Settings\bosshog\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
    RecycleBin -> emptied.
    < End of log >
    Created on 11/11/2007 10:17:46
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,916
    First Name:
    Derek
    have you got control panel back yet

    when did it start going slow

    during the fix or before
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/648793

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice