If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Illegal Operation
Lately when I log onto my MSN message boards I get this
Illegal Operation and program will be shut down error. Can anyone help? IEXPLORE caused a general protection fault in module unknown at 0000:0001a0ea. Registers: EAX=000000b3 CS=205f EIP=0001a0ea EFLGS=00010206 EBX=00000000 SS=2067 ESP=0000c918 EBP=0000c940 ECX=3030305c DS=2067 ESI=0000c970 FS=283e EDX=00000020 ES=2067 EDI=00000095 GS=203f Bytes at CS:EIP: 8b 0c 81 89 4d f4 23 c9 74 14 51 e8 26 58 00 00 Stack dump: 00002067 0000c970 00002067 0001f914 000c9564 00000000 0095b320 000c95b8 00000000 000002a0 0000cbd0 00016cd0 00000095 0000c970 00000001 00002067 |
#2
|
|||
|
|||
Hi Lauren,
unknown module errors are most often caused by spyware. There are many people who have helped this FAQ improve over time - MVPs and newsgroup users. I thank all of you who have made the newsgroups, anti-malware websites and dedicated mailing lists into such a wonderful resource. Read the advice at my prevention link (http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of your computer being infected. IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from the URL below - some malware can kill your internet connection when it is removed, and this software should get things going for you again: http://www.cexx.org/lspfix.htm Also get a copy of WINSOCKFIX available at: http://www.spychecker.com/program/winsockxpfix.html **Note, if you are using XP SP2 the following command, run from start/run, may get your computer going again - it will reset the winsock catalogue: netsh winsock reset The software you should download and have ready to use is: AdAware [..Warning: AdAware has now released Ad-Aware SE Personal Edition, available from http://www.lavasoftusa.com/support/download/ Version 6.181 is, at the time of writing, still supported. All previous versions are NO LONGER SUPPORTED and will not be updated...] Spybot Search and Destroy - http://spybot.eon.net.au HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe CWShredder - http://www.merijn.org/files/CWShredder.exe HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip Extract the BAT file to your desktop. Trend Micro's 'Damage Cleanup Engine / Template http://www.trendmicro.com/download/dcs.asp and the latest pattern file http://www.trendmicro.com/download/pattern.asp IMPORTANT: After obtaining the required software above, make sure you check for updates and run the programmes in safe mode. Malware removal (beginner's guide): Go to Control Panel, Folder Options, View Tab. Turn on the option to show hidden files. Turn off the option to hide protected system files. ***WARNING!! Files are hidden by Windows for a very good reason. It is not wise to 'experiment' with these files. Unfortunately, to successfully remove modern malware we must turn this protection off. There is a risk to doing this. Please turn the protection back on when you have finished cleaning your system.*** Run HackerDefener Disabler by doubleclicking. A DOS window will flash onto your screen and then disappear. This is normal. First, go to Control Panel, add/remove programs. Check for malware entries and use the uninstall programs, then reboot. Check all 'startup' folders at ..\Documents and Settings\All Users\Start Menu\Programs\Startup or ...\Documents and Settings\username\Start Menu\Startup Go to start/run and type MSCONFIG. Go to the startup tab. Disable everything that you do not recognise as legitimate (do not disable any power profile options). Now go to the Services tab. Turn on the option to 'hide all Microsoft Services'. Disable everything that remains. If you don't have this option, don't worry about it. Reboot your computer and hold down the F8 key until the boot menu options appear. Choose Safe Mode as your startup choice. You will find information about what safe mode is, and what it does, at this link [http://inetexplorer.mvps.org/data/safe_mode.htm] Empty your IE cache and your other temporary file folders, eg: c:\temp, c:\windows\temp or C:\Documents and Settings\name\Local Settings\Temp (the path to your temp folder will change depending on your name) - sometimes programmes can be hidden in there - watch out for mysterious *.exe files or *.dll files in those folders. Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Program Files. Delete anything you don't recognise (hint: check the object's properties by right clicking the object and select 'properties'. You will often be able to easily recognise legitimate objects such as those related to java, or Windows Update, and will even see what URL the object was downloaded from. Go to IE Tools, Internet Options, Accessibility. Make sure there is no style sheet chosen (under User Style Sheet - format documents using my style sheet). If the option is turned on, turn it OFF. Start CWSHREDDER. Fix anything it finds. Reboot back into safe mode. Start AdAware. AdAware SE... Remember to update using the 'check for updates now' button. Update, then select 'start' option. Make sure that 'search for negligible risk entries' is turned on. Select 'use custom scanning options' then select 'customise'. Make sure the following options are enabled: 'scan within archives', 'scan active processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for banned URLs', 'scan my Hosts file'. Select the 'tweak' option. Under 'scanning engine', make sure 'unload recognized processes and modules during scan' is enabled. Enable 'scan registry for all users instead of current users'. Under 'cleaning engine' turn on 'always try to unload modules..', 'during removal unload explorer and IE if necessary', 'let windows remove files in use at next reboot', 'delete quarantined items after restoring'. Use the 'select drives and folders to scan' option to ensure that your ENTIRE hard drive is scanned (if you have more than one hard drive, scan all of them (of course, do not include floppy and CD/DVD). Adaware 6.181 (versions older than 6.181 are unsupported and useless) Note that when run using default settings, older versions of AdAware do not cope with new 'intelligent' malware. Make the following changes to the default settings. Use the option 'select drives/folders to scan'. Set AdAware to scan your entire hard drive. Make sure 'activate in depth scan' is enabled. Select 'use custom scanning options' and then click on the 'customize' button. Turn on the following scan options - scan within archives, scan active processes, scan registry, deep registry scan, scan [my] IE favorites for banned URLs, and scan [my] hosts file. Use the 'tweak' button. Turn on the following options: Cleaning engine: 'automatically try to unregister objects prior to deletion', 'let windows remove files in use at next reboot', 'delete quarantined objects after restoring'. Scanning engine: 'unload recognized processes during scan'. After you have finished with AdAware run Spybot to pick up any leftovers. Fix anything marked in red. If the problem comes back, start all over again but with the following changes (this section requires advanced computer skills - inexperienced users will require assistance, available via the public newsgroups or various anti-spyware forums, my preferred forum being http://forum.aumha.org/) Use Trend Micro's 'Damage Cleanup Engine / Template. Note: You must follow *all* instructions provided by Trend Micro: http://www.trendmicro.com/ftp/products/tsc/readme.txt Turn off the option to automatically clean or delete detected files. Run the utility. Remove anything that is *not* in 'system volume information' (thanks for the warning Mow). Run Adaware etc etc as per above. The following is for advanced users and professional technical support - these steps are NOT recommended for the inexperienced. I have not provided detailed instructions or advance and have assumed a higher than average level of skill... Remember, do as much as you can in safe mode. Use the HackerDefender Disabler above before starting indepth diagnosis. Go to MSCONFIG and go to the General tab. Turn off the options to process win.ini file, load system services and load startup items. Restart Windows and run AdAware etc once more. The following is by no means exhaustive. Without the amazing brain of Tony Klein (in particular) and other MVPs I simply could not keep up with what to learn and where to look when trying to keep on top of malware. Guys, I simply couldn't do it without you!!! I have learned a lot about where to look for malware from Tony in a private web forum. If there was a publicly available URL I would point to it, but as far as I know there isn't, and the information is critically important to those of us doing at the sharp end of the cleanup brigade. Note: I have provided a list of utilities further down that will do a lot of the following gruntwork for you. Examine win.ini, autoexec.bat, system.ini, config.nt, autoexec.nt as relevant. Use services.msc. Search for unusual or unexpected *.bat files and unexpected autostart entries in the Run, RunOnce, RunOnceEx, RunServices, Services, Winlogon and Scripts registry keys. Search the rest of the registry for any further references to discovered malware. Invariably if you find a malware key in one of those keys, you'll find a further reference to the component elsewhere. Also watch out for entries at HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\ Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects I strongly recommend that unless you have a lot of experience working in this area that until such time as I am able to track down a comprehensive list of legitimate services (or put one together myself), that you post details of the services revealed by services.msc to a microsoft.public newsgroup for professional guidance. If you turn off the wrong service you could cause serious problems, and at the very worst, leave the computer unbootable. An experienced computer technician can use programme such as AutoStart Viewer for in-depth diagnosis: http://www.diamondcs.com.au/index.php?page=asviewer Or Process Viewer for Windows: http://www.teamcti.com/pview/ Or 'Silent Runners': http://www.aaronoff.com/silent_runners/ Or APM (Advanced Process Manipulation): http://www.diamondcs.com.au/index.php?page=apm Once the computer is clean, and if it applies to the operating system, create a new restore point. The old ones may, of course, be infected with the malware and cannot be used. Run disk cleanup to remove old restore points (if your operating system has this option you will find it on the 'more options' tab of the disk cleanup utility. If the option to remove old restore points is not available, stop and restart the restore service which will flush out old restore points and prevent accidental reloading of malware. MS have released a limited KB article regarding what they call 'deceptive software'. http://support.microsoft.com/default...b;EN-US;827315 Here is advice specific to: home page hijackings http://inetexplorer.mvps.org/answers.htm#home_page pop-up ads http://inetexplorer.mvps.org/data/popup.htm search engine hijackings http://inetexplorer.mvps.org/answers4.htm#search_engine -- Hyperlinks are used to ensure advice remains current _______________________________________ Sandi - Microsoft MVP since 1999 (IE/OE) http://inetexplorer.mvps.org/ Lauren wrote: Lately when I log onto my MSN message boards I get this Illegal Operation and program will be shut down error. Can anyone help? IEXPLORE caused a general protection fault in module unknown at 0000:0001a0ea. Registers: EAX=000000b3 CS=205f EIP=0001a0ea EFLGS=00010206 EBX=00000000 SS=2067 ESP=0000c918 EBP=0000c940 ECX=3030305c DS=2067 ESI=0000c970 FS=283e EDX=00000020 ES=2067 EDI=00000095 GS=203f Bytes at CS:EIP: 8b 0c 81 89 4d f4 23 c9 74 14 51 e8 26 58 00 00 Stack dump: 00002067 0000c970 00002067 0001f914 000c9564 00000000 0095b320 000c95b8 00000000 000002a0 0000cbd0 00016cd0 00000095 0000c970 00000001 00002067 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
illegal operation | General | 1 | August 4th 04 08:10 PM | |
Wtoolsa This program had performed an illegal operation | Hazel | Improving Performance | 3 | June 18th 04 02:35 PM |
.DLL illegal operation | Matt | Software & Applications | 0 | June 3rd 04 03:35 AM |
Illegal operation | Tess | Improving Performance | 2 | May 28th 04 08:14 PM |
Rundll32 illegal operation | Ismael Garcia | Software & Applications | 1 | May 22nd 04 07:26 PM |