illegal operation

[sylvii51]

Hi,
For a few days now, I've been getting kicked out of IE...shuts down...and I get dialog box which notes in the details:


EXPLORER caused a general protection fault
in module USER.EXE at 0003:00001022.
Registers:
EAX=00004a77 CS=17b7 EIP=00001022 EFLGS=00000246
EBX=000012dc SS=4a77 ESP=00008ba6 EBP=01858bc4
ECX=00014a77 DS=4a77 ESI=00008bd0 FS=4a8f
EDX=00010118 ES=4a77 EDI=0185ee58 GS=0000
Bytes at CS:EIP:
ff 5e 08 b9 bf 16 8e c1 59 5b 83 f9 0f 74 2e 81
Stack dump:
002874ac 0118ffff 01180268 16bf0268 0185ee58 00008c00 02a00118 8c0002a5 16df392d 12dc0001 02680000 ffff0118 000012dc 002874ac 012c02b4 02680000

Can anyone help with this? Is it related to IE? Windows 98 system? sun spots?

Thanks....appreciate any help.

Sylvii


Also, I forgot to note that when I shut down Windows, I get a blue screen with this message:
A fatal exception OE has occurred at 40F7.000004ED. The currecnt application will be terminated.

*Press any key to terminate the current application.

*Press CRTL+ALT+DEL again to restart your computer. You will lose any unsaved information in all applications.

Press any key to continue _

When I get that screen and I press the keys indicated nothing happens......even with C+A+D.

So, I shut comp off manually and restart.....getting the message to wait a moment while "Windows updates and reconfigures files".

Anyone know what all of this is about?!

Again, thanks!
Sylvii

[AnnMarie]

Welcome to CTH sylvii51 - it might help if we can see what is running on your PC.

Go here and download and run a scan with Hijack This. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.

[sylvii51]

Hi,
Thanks for help with this.

I ran that hijack, and it showed a box with programs listed but there was nothing to click called "save log". It was not an actual hijack log that came up.

So, I saved it to "My Documents", but when I tried to open it so I could [possibly] copy, I got the Explorer illegal operation box and it froze screen....had to shut down.

I'm not sure how to get this copied....any suggestions?

btw, I had run SpyBot to check out system earlier and "cleaned it out"...hoping that would solve problem. And, I ran ScanDisk and there was nothing 'bad' noted in files.

[AnnMarie]

Hi sylvii51 - uninstall Hijack This (click on Config > Misc Tools > Uninstall Hijack This and Exit) and download it again. After you click on Scan, you should see a windows showing the results of your scan and below that a button called Save Log. When you click on it, it will generate a log that you can copy and paste back here.

If that still doesnt work, go here and download and run Startup List. It will generate a log file. Copy the log and paste it back into this thread

[tb525]

Hi Sylvii,
Bout time you made it here! Your in good hands with AnnMarie...

-Tom

[sylvii51]

Hi Tom! good to see you! ...bet this all sounds familiar, huh?

I'm off to try what she suggested.



hmmm....I can't even find Hijack to uninstall it.....geez! maybe it didn't install. I'll try to re-install....or just install.

Ok, here's what happened. I did the download thing suggested above, and it download file into My Documents. Then, when I tried to 'run' it couldn't 'run'....no file.

So, I tried to 'open file' but got this:
[box with]
"Click the program you want to use to open the file 'startuplist152.zip'. If the program you want is not in the list, click other.
There is a list of things, but I have no idea which I should click to open file. This is list (most of which I have no clue what they are):
123W
ACCWIZ
AcroRd32
Audiosta
blindman
CB32
CChat
DRWATSON
Explorer
fontview
GRPCONV
hh
HYPERTRM
iexplore
ISIGNUP
Kodaklmg'kodakprv
ilmobn11
mplayer
mplaery2
MSBACKUP
MSHTA
MSIMN
MSINFO32
MSPAINT
NOTEPAD
org32
PictureViewer
Program
QuickTime Player
quikview
Real Play
regdit
RUNDLL32
SPYBOTSD
wab
WB32
WINDAT
winhlp32
wmplayer
WORDPAD
WScript
ZONEALARM

[tb525]

Hi Sylvii,
It appears that you don't have a program for opening zipped files. Here's HijackThis that I already unzipped. Right click on the link and choose 'Save Target As' http://d21c.com/Tom41/HijackThis.exe

Once downloaded double click on it to open and click the 'Scan' button. When the scan is finished, click 'Save Log'. Give it a name and click OK. Then copy and paste it into a reply..

[sylvii51]

Ok thanks! I'll try that. (I would have been back here sooner but got kicked off of IE .....again)


After I clicked 'Save Log', it seemed to go to Notepad, but when I tried to 'copy' it, there was no button to click to copy. Now, I can't find it in Notepad. The file is sitting there in My Documents but won't let me copy.

Bear with me.....I'll keep trying. I saw the Scan Log, so I know it's there.

There are two files in My Documents...the HiJack.exe and the HiJack log, but when I try to open so I can copy, it - once again - does not give me the actual log but gives me that box with programs in it which will not copy.

I'll keep trying......I have the ScanLog on screen, but it is not letting me copy.
Let's see if this works: nope....it placed two question marks in here when I clicked 'paste'.

I've tried to copy and paste it someplace else....and, then re-copy, but in every case, it won't "paste". (I even tried to put it in Outlook Express)

Any suggestions?

[tb525]

OK, double click on the HijackThis.log and when the 'Open With' dialog appears choose Notepad.

[sylvii51]

Aargh! When I double-click the log file, it opens to the log which is in WordPad.....can't delete it out of there to put in NotePad. And, it won't copy and paste from WordPad.

...have to go to appt....will get back later and try this again.

[tb525]

It should copy and paste from Wordpad...
Up at the top of the Wordpad window click Edit > Select all > Edit > Copy.
Then return here and click 'post reply' and right click in the message field and choose paste.

Or you can left click once on the log to highlight it, then hold down the shift key and right click on the highlighted log file and choose 'Open with'.
Choose Notepad from the 'Open With' menu..

[sylvii51]

Here it is:
Logfile of HijackThis v1.97.3
Scan saved at 9:01:12 AM, on 10/28/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://proxy:8080
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...861.8169097222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash/cabs/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...6/dlhelper.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOf...1/emCraft1.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexi...eInstaller.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50037/QDow.cab

[AnnMarie]

Hi again sylvii51 - run Hijack This again and this time, select the below entries and click on "Fix Selected". Reboot afterwards.

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

When you have rebooted, run a search for the ClearSearch folder and delete it.

Next, open your browser and go to Tools > Internet Options and click on the General Tab. Click on Settings (next to Temporary Internet Files) and then click on View Objects. Rightclick on each and choose Properties. If there is anything there that you dont know what it is (microsoft, apple, macromedia etc are OK) or where it came from, delete it. If there are any damaged controls there, delete those also.

Let us know if this helps and post back a new Hijack This log.

[sylvii51]

Hi Ann Marie,
Thanks again for your help. I was just getting ready to do this and got interrupted by company. So, I'll tackle it in the a.m.

Sylvii

[AnnMarie]

Ok, no problem, see you tomorrow.