Trouble w/operations restrictions

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
My moms computer was infected with a worm virus, and I didn't know that she didn't have an Anti virus program on it. So I installed Norton, and ran a complete scan. Nothing major. Well I still am having problems with certain programs like: commandr, Em_exec, agentsvr, explorer Ccregvfy, Msiexec & Iexplore are all performing illegal operations. I deal with those later, the main thing I am worrying about is when I open Internet explorer I get an illegal operation message for Iexplore. Then when I close that I get the message "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator".

I have searched and all I come up with is when people go to the internet options this message pops up. I am mainly worried about the internet, but if anyone knows anything on the other illegal operations, feel free to tell me.

Thanks,
 

Del

Joined
Aug 31, 2001
Messages
3,452
For the restriction, try this:


Go to Start > run > regedit

Now to 'Edit' > Search.

Search for a value called NoBrowserOptions, and delete that value in the right pane when found.

Next, press F 3 to search for a possible second entry, and if found, delete that one as well.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
And to help troubleshoot your other problems, please go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
Ok, I'll try that when I get home. One other thing, what does it mean when the computer is telling you that it cannot find a program, but the program it's trying to find has characters in the name that I have never seen before. Like one character looks like a AA battery, another one is a cents symbol(not a dollar sign). They were set to load when the computers starts so I turned them off.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
That explanation doesn't really help us very much, I'm afraid.

Let's first have a look at your Startuplist log. That may lead us to the culprit.
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
Yeah I didn't really think it would help you too much, but I was just wondering if anyone saw any weird characters like that before. I post my startuplist in a couple of hours.
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
ok I'm back, here is what I got for the startup list.

StartupList report, 1/20/03, 6:22:44 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\NORTON\NISUM.EXE
D:\NORTON\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\WINDOWS\REGEDIT.EXE
E:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Norton Internet Security.lnk = D:\Norton\IntroWiz.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
Browser Launcher = C:\PROGRA~1\LOGITECH\KEYCOM~1\Commandr.EXE /HIDDEN
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
BootWarn = D:\Norton Anti Virus\BootWarn.exe /a
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Nisum = D:\Norton\NISUM.EXE
ccPxySvc = D:\NORTON\CCPXYSVC.EXE
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 19/1/2003, 17:38:4)

[rename]
DIRNUL=C:\WINDOWS\system\precopy
[NUL]
C:\WINDOWS\SYSTEM\DCOMREG.EXE=1

--------------------------------------------------


Enumerating Browser Helper Objects:

Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL - {13F537F0-AF09-11d6-9029-0002B31F9E59}
NAV Helper - D:\Norton Anti Virus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[WildTangent Control]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/arcadegames/fallingstars/wtinst.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://www.exittraffic.net/nocreditcard/freeviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.0203819444

--------------------------------------------------
End of report, 5,216 bytes
Report generated in 0.503 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



I know that's alot, sorry.


But about the internet explorer problem, I searched the regedit for NobrowserOptions and nothing came up. But When I go into Kazaa, I can search the internet that way. I just dont have all the functions. Do you think that I can just reinstall internet explorer?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Oops, I'm afraid I forgot all about this thread. Sorry about that.

Yup, that's the list, but it looks relatively clean.

You do have a few "bad" items in your Downloaded Program Files that need to be removed.
Go to Internet Options > Temp Internet Files > Settings, and press 'show objects'.

Delete the following three ActiveX objects:


[WildTangent Control]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
CODEBASE = http://www.wildtangent.com/install/...tars/wtinst.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://www.exittraffic.net/nocreditcard/freeviewer.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

I'm also interested in the exact text of your illegal operation message

Could you cause that to happen, and then click the "details"" button.

What exactly does it say there?
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
Alright! That's ok, my mom was bugging me about getting it fixed. Looks like you have been doing this for a while, I have no idea what I am reading their. I'll try this when I get home though, and post the details about the illegal operations.


Thanks
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
Here are a list of the details for the illegal operations.

First that pops up: COMMANDR

COMMANDR caused an invalid page fault in
module KERNEL32.DLL at 018f:bff83ba0.
Registers:
EAX=004835b8 CS=018f EIP=bff83ba0 EFLGS=00010206
EBX=0047a000 SS=0197 ESP=82b72e84 EBP=82b72f14
ECX=00400000 DS=0197 ESI=004835ba FS=38ff
EDX=0047a03c ES=0197 EDI=00000000 GS=0000
Bytes at CS:EIP:
0f b7 00 56 50 ff 75 e0 e8 19 8c ff ff 33 d2 85
Stack dump:
81781f5c 81781f70 0000000e 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 bfe81644 81781fb4
81781f78

Second one: EM_EXEC

EM_EXEC caused an invalid page fault in
module KERNEL32.DLL at 018f:bff83ba0.
Registers:
EAX=0040f5b6 CS=018f EIP=bff83ba0 EFLGS=00010202
EBX=0040a000 SS=0197 ESP=82a85e84 EBP=82a85f14
ECX=00400000 DS=0197 ESI=0040f5b8 FS=3907
EDX=0040a014 ES=0197 EDI=00000000 GS=0000
Bytes at CS:EIP:
0f b7 00 56 50 ff 75 e0 e8 19 8c ff ff 33 d2 85
Stack dump:
8174e82c 8174e840 00000008 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 10001100 8175fe38
8174e848

Those are the only two that pop up when windows starts.

This one pops up when I try to open Internet explorer: Iexplore

IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 018f:bff83ba0.
Registers:
EAX=004195ba CS=018f EIP=bff83ba0 EFLGS=00010202
EBX=00401fec SS=0197 ESP=83d39e84 EBP=83d39f14
ECX=00400000 DS=0197 ESI=004195bc FS=4f5f
EDX=00402000 ES=0197 EDI=00000000 GS=0000
Bytes at CS:EIP:
0f b7 00 56 50 ff 75 e0 e8 19 8c ff ff 33 d2 85
Stack dump:
817d4224 817d4238 00000005 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 bff510d0 817cabcc
817d4240


I don't know if this would help, but I can get on the internet. If I right click the Internet explorer icon and go to explore in the sub-menu it brings me to the internet.

All of the other illegal operations either went away or I'm just not hitting the right things to get them to open.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Here's how to get rid of your first two error messages:

Go to Start > Run, and type Msconfig.

On the Startup tab, uncheck the following two items. They're dispensable.

Browser Launcher = C:\PROGRA~1\LOGITECH\KEYCOM~1\Commandr.EXE /HIDDEN
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

Click OK, close Msconfig, and reboot.
 

Del

Joined
Aug 31, 2001
Messages
3,452
Did you try running the repair on IE or the fix for Restrictions I told you about?
 

Mtlca401

Thread Starter
Joined
Jan 19, 2003
Messages
21
Originally posted by Del:
Did you try running the repair on IE or the fix for Restrictions I told you about?

What repair, you told me to go to regedit and delete no browser options. I did that but couldn't find anything.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top