I recently had a spell with trojans, browser
highjacker,(coolweb, etc.) through the good
help of these forums I was able eradicate my
problems. But since then I have been
recieving "Illegal operation" messages at
various times, Mainly when I access MSN
Hotmail and especially when I try to Update
Windows. I tried posting my problems with
the MS forum but I recieved this message:

EXPLORER caused an invalid page fault in

module <unknown> at 0000:824a244a.

Registers:

EAX=00515333 CS=0177 EIP=824a244a EFLGS=
00010202

EBX=00000000 SS=017f ESP=00f89390 EBP=
00f893d8

ECX=000014cd DS=017f ESI=04a413a9 FS=10cf

EDX=7249fcfd ES=017f EDI=824a244b GS=2f96

Bytes at CS:EIP:

33 49 74 03 aa eb f9 aa 8b 7c 24 1c 8b f2 66
c7

Stack dump:

63006d46 0050b588 1a40c54d 00cc000c 00515358
ffffffff 04a4000c 0000286a 00000001 0050b588
8000000a 0000000b 04a4000c 0000286a 0046c3a4
00000000

Other messages appear when I try to send
email through hotmail:

EXPLORER caused an invalid page fault in

module <unknown> at 0000:2077654e.

Registers:

EAX=00000037 CS=0177 EIP=2077654e EFLGS=
00010206

EBX=00000000 SS=017f ESP=035b6d98 EBP=
035b6df0

ECX=800082b8 DS=017f ESI=7249fcfd FS=194f

EDX=800076c8 ES=017f EDI=00000881 GS=0000

Bytes at CS:EIP:

I have been receiving variants of that error
message every time I use hotmail.

I have Norton 2003 and have since tried
using the optimizations to correct and/or
scan my disk, windows, registry, etc. I do
get errors but Norton "fixes" them. In fact
I also recieved this message 2x while trying
to use the Norton utilities:

OBC caused an invalid page fault in

module OBC.EXE at 015f:00412e3f.

Registers:

EAX=00000002 CS=015f EIP=00412e3f EFLGS=
00010246

EBX=ffffffff SS=0167 ESP=0069fa74 EBP=
00000000

ECX=00000000 DS=0167 ESI=007c1ab0 FS=2b3f

EDX=80006798 ES=0167 EDI=00000000 GS=0000

Bytes at CS:EIP:

8b b7 84 00 00 00 3b b7 88 00 00 00 74 26 83
7c

Stack dump:

00000001 007c1ab0 0069fac0 ffffffff 0041e084
00000000 007c1ab0 00000000 004025b3 5f46158f
007c1ab0 000007dc 007c3c00 bff7b99f 006b4480
00000000

And now, I am getting more errors:

Microsoft Visual c++ Runtime Library

Runtime Error!

Program c:\PROGRAM FILES\COMMON FILES\
SYSMANTEC SHARED\CCAPP.EXE

R6025

- Pure Virtual Function Call

I have tried to update from the Windows
update to possible get some helpful patches
or something but after a successful scan I
cannot download any critical updates, my
browser freezes and I get another "illegal
operation" message and I have to close IE
which usually requires a reboot all
together:

EXPLORER caused an invalid page fault in

module <unknown> at 0000:822a644a.

Registers:

EAX=004b6033 CS=0177 EIP=822a644a EFLGS=
00010202

EBX=00000000 SS=017f ESP=00809390 EBP=
008093d8

ECX=000014cd DS=017f ESI=03aa3211 FS=35bf

EDX=722a3cfd ES=017f EDI=822a644b GS=2cce

Bytes at CS:EIP:

33 49 74 03 aa eb f9 aa 8b 7c 24 1c 8b f2 66
c7

Stack dump:

63006d46 03af6934 1a40c54d 00cc000c 004b60e0
ffffffff 03aa1e74 0000286a 00000001 03af6934
8000000a 0000000b 03aa1e74 0000286a 004b3994
00000000

I have tried and retried to complete a
successful update but it only ends with a
frozen browser and "illegal operation"
messages with variants of the above details.

I have tried using the IE repair but to no
avail.
Is my system just going down, it's all I've
got for now, I would like to remedy if I
could. This forum has worked miracles for me
in the past so I crossing my fingers again,
I apologize about the length I am trying to
be thorough for the tech gurus...thank you
in advance to all who can work their
magic......

As it is Windows Explorer (explorer.exe) being reported rather than (iexplore.exe) then it is a Windows problem rather than IE.

I'm no expert on virus problems but it's just possible that your registry has now got in a tizz.

While you are waiting there is no harm rebuilding your current registry (it often fixes general problems).

"Shut down" to MS-DOS and type scanreg /fix (hit Return key). When it has finished type exit (Return key) to restart Windows.

Derek.W

Thank you for your help...I ran scanreg in MS-DOS. After about 15 minutes it was complete. It was hanging on the .DAT files? for most of the time. I rebooted and tried Windows update again. Same "illegal operation" message after I tried to download 'critical updates.'
I'm at a loss...completeley.
Should I just FORMAT my HD?
And what is the best, or most effective (safest) way to format. It is an older, smaller system but it is all I have for now.

A few more things (if anyone is still there)

1. I have this log from the "UnHookExe." I saw used in these forums

[Version]

Signature="$Chicago$"

Provider=Symantec

[DefaultInstall]

AddReg=UnhookRegKey

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0

*** SO BASICALLY, WHAT DOES THIS MEAN OR IS IT EVEN HELPFUL

2. Most recently I also recieved this error, but only once (so far)

EXPLORER caused an invalid page fault in

module KERNEL32.DLL at 0177:bff7b997.

Registers:

EAX=00000000 CS=0177 EIP=bff7b997 EFLGS=00000246

EBX=8318708c SS=017f ESP=00f2f4ec EBP=83187078

ECX=c16fa5c0 DS=017f ESI=8318708c FS=3cef

EDX=00000000 ES=017f EDI=0000019c GS=0000

Bytes at CS:EIP:

ff 76 04 e8 26 89 ff ff 5e c2 04 00 56 8b 74 24

Stack dump:

00440950 7f8db9d5 8318708c 00f2f524 00000000 6307a840 6307a840 00000000 63041c58 00440950 00f2f520 6307a844 00f2f564 00000670 00f2f54c 6302bc4f

3. Should I still post to this forum or would it be best to post to another forum?

Thanks Derek,,,,anymore takers....I still have some more finger nubs to bite.

(I can also provide a startup log if that would be of any help0

fingers crossed....

Firstly, I assume you have at least run "Ad-Aware", "SpyBot Search & Destroy", and "CWShredder" (from what you said). If not try any you missed. There is also a trojan finder called a2free which is worth running.

Windows and IE are very much linked. Although it's rather unlikely it will help, it would only take minutes to run IE Repair. Double click "Microsoft IE & Tools" in Control Panel/Add-Remove and hopefully you will get the option. Worth giving it a quick whirl.

If you are contemplating reformatting then my feeling is that there is nothing lost by just overlaying Windows first. If this doesn't do the trick then you have wasted about 45 mins but can still opt for reformat.

If it should work it will have saved you losing any of your own files and having to get all the drivers you would need. You may find the odd program or update that will need installing afterwards.

Derek.W

... our posts overlapped. See if there are any other takers regarding "UnHookExe". Doesn't mean much to me.

Derek.W

Thanks Derek, doesn't seem to be any
takers...but I tried IE repair again and I
am given a message that says it cannot
repair due to missing "homepage"???
I guess I do have a windows problem...but it
all started with a highjacked browswer,
trojan, etc......I have downloaded and run
CWShredder, and on each occasion it found
nothing. I also use Ad-aware, and SpyBot S&D
and they work, they took care of my virus
problems, (46 bugs all together )but now I
have explorer/windows/registry madness...I
think I should try my luck on the windows
forum?? But I fear the worst, my problem
looks too messy....$$$$$$

Hold on, I'll see what I have in my registry in those places. Maybe a while.

Derek.W

First of all I am assuming that this Unhook thingy is showing an extract of what is in your registry under those entries. Better confirm/deny it because the following is on that assumption. If so,

The first six are different those in my W98SE (in a subtle way) and I feel it very likely that some nasty or other has changed them. I doubt W98SE would be different to W98 in these areas.

The last one is not in my registry and looks like a deliberate attempt to disable registry tools.

I have made up a .reg file that will change those registry entries to mine. It will also delete the last one and add HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System (just in case this entry has been removed).

I have screensaver disabled so you may have to reactivate it - minor problem as far as your situation is concerned.

Now for the "get out" clause. If you care to try this then it must be at your own risk (perhaps you need just a tad more confidence in me than I have LOL).

The way I see it you can always overlay Windows (if you have a CD) but with those dud entries then you could still be in trouble if it keeps them afterwards. If you change to mine it will either cure your problems or you will have a better basis for reloading Windows.

What'dya think? I'm one of the helpers on W9x by the way (but nobody is perfect). Let me know if you want to try my file, you just double click it then reboot. I won't feel upset if you decide to give it a miss.

Derek.W

Many thanks to you Derek...I'm not sure if I
am 100% on your option at this point, I fear
my inexperience would only further
complicate things if something were to get
more tweaked out.
In the meantime, that "UnHookExe." I
previously posted came form the Symantec
security updates on their site.

http://securityresponse.symantec.com/
avcenter/venc/data/
tool.to.reset.shellopencommand.registry.keys
.html

I assume it has something to do with my use
of Notorn 2003 and the highjacked brower/
trojan problems I was having. Not to get too
complicated but I have seen (on various tech
forums) a link between Norton Av and old
CompuServe programs. Something about
deleting/removing CS programs can wreck
havoc on Norton Utilities such as Norton Reg
Editor/Manager. I just thought that my
Norton RegEd was not part of the package or
something b/c its never worked. Its not
applicable only greyed out. And I did remove
a lot of compuserve junk, but that was long
time ago...who knows...at this point
anything and everything as is much a problem
as is a solution. But I'm still here trying
to figure it out.
I can only post messages here from work, the
problem child at home will not let me post
messages, email, attachments, anything
anywhere including this forum...so I here
from only 9 to 5...gotta make the best of
it...thanks for all your input.

maz

Not sure I can suggest anything more unless you dare peer into the registry to check one or two of those entries. That would determine whether or not I am on the right track.

Kinda think that .reg file might have worked but quite understand you not wishing to rock the boat. I'll keep it on file a while in case you change your mind. There are ways back to the original registry.

I assume you have already run Ad-Aware, SpyBot and CWShredder. Sounds like some nasty has left some dud registry entries in place.

Derek.W

Hmm..how do you back up a registry? Or what's
the best way? At this point I am willing to give the
reg. entries a try, only I am running on Win98 and
I do not have a disk, but I do have a disk for Win98
SE but when I try to upgrade or look for missing
files I am unable. It's been a while but the upgrade
etc. stops and alerts me that I cannot use Win98
SE for the system I have. (I could clarify later once
I try it again) Also, what 's the exact difference
between formatting a HD and partitioning? Do I
have to do a complete format? But more
importantly how do I backup the reg and the rest
of my files?
Thank you for your patience.....

maz

. . . . . . I have ran Ad-Aware, SpyBot S & D, and
CWshredder, and through the good help of these
forums I have run online virus scans, I don't have
a list of all that was found at this time but it was a
back door trojan......as well as some malware, and
other spyware....basically my pc got punked or
whatever the analogy might be...it's not the
greatest feeling being a pon in the middle of a
battle field....not a developer or a hacker, just a
simple user...easy prey huh?!?!

You didn't mention a virus checker. If you've not got one already AVG is a reasonable freebie.

I assume you are still stuck with your main problem tho.

Derek.W

Just one last thought.

If you should decide that the only way forward is to reformat then that obviously erases everything.

In which case you might as well try my .reg file first because it only takes seconds and if it doesn't do the trick you can still reformat just the same. If it works then it will save you the reformat.

All the .reg file does is reset the areas you showed to their normal settings (W98SE but I doubt they are different to W98).

Otherwise you could try posting on W98 forum just in case someone comes along with some alternative ideas. You never know.

Derek.W

I'm going to try and post over at the Win98 forum
and try my luck there...as it is, I cannot post or
email anything from home...so I'm gonna have to
sit tight until Mon. But please stay in touch as I
would like to try your reg.file. I just want to do a bit
more research before I completely rearrange
things....again many thanx..

maz

Just to say that I am now more convinced that my idea of resetting those registry entries will do the trick.

I won't bore you with the details but something mildly similar happened to me since you posted and that concept fixed it.

We can always export one or two of your entries first and have a look at them if you still want to consider using that .reg file.

Derek.W

Hey Derek...still there?!?!
Let's do it! Just run that by me one more
time...what's the worst that can happen again?
Bascially I want to be able to have some path of
recovery if I mess it up.

maz

Wow, talk about a bit of unfortunate timing.

I deleted some unwanted files and by accident included a whole stack of stuff in a folder including that .reg file I'd made for you. Seems there was too much for the bin and I lost the lot forever.

No problem I'll get it made up again.

In the meantime do this:
Make a folder straight on the C drive called regstuff (so that's c:\regstuff if you are into DOS jargon).

Next type regedit in the Run box.
When the screen comes up make sure "My Computer" is highlighted (it should be).
Go to Registry (top left), drop down and hit "Export Registry File". Steer it to c:\regstuff and save it as oldreg

You should then have a file called oldreg.reg in c:\regstuff which if you need to double click on later will merge back the whole of your current registry. So that's your safety net sorted.

Pop back when you've done that and in the meantime I should have that file again. I will also need your email address (I double clicked one of yours a while back and it was sent back).

If you need to put your email addy on this page make sure it is not in the standard form otherwise the spammers search engines will find it. Use this format (my address):

derek dot watts
"at sign"
lineone dot net

Get it? Just trying to prevent you getting spammed.

Derek.W

Be prepared for the possibility that this nasty might have prevented you getting into the registry (that bit about DisableRegistryTools is worrying).

If so we will have to visit DOS I'm afraid.

Derek.W

I'm gonna be AWOL for a bit.

email me if you wish, might be easier.

I can update this post with the outcome if anyone else is watching still.

I've produced the file and tested it out on my machine.
It didn't turn into an elephant or anything LOL.

Derek.W

Please, let's try that reg.file...I will also be awol for
a bit, contact me when you can, or I will be in
touch soon....thanx Derek

mazeo
"at sign"
excite
dot
com

That's the address I tried once before and it came back. I'll have another go.

Derek.W

Same trouble.

I sent file (all pretty in an email with full instructions) and back it came again.

Seems as if it thinks I'm a spammer or something (quite the reverse). It gave me a website address but this asks for my email address so that's a no no.

So, we're stuck unless you can give me another email addy or work out some way I can get the file to you. Maybe your server can help.

It's possible that a spammer is using my email address I suppose, and it has got blacklisted. Kinda wouldn't surprise me but if the ISP's do that then it won't be long before all email traffic ceases. I've certainly had some messages returned that I never sent (from time to time).

Derek.W

Hi mazeo

Just as an aside, for laughs, I found the appropriate excite website and this is what I sent them:

============================================
I note that your website uses javascript. I have therefore had to lower my security in order to write to you. It seems I have to risk the possiblity that your are some spamming organisation (or worse) in order to complain.

[Message header pasted here]

I keep getting the message returned. It contains a .reg file attachment which I am trying to send in order help the recipient overcome a computer problem.

Have you any idea why this is? It reads as if I am a spammer myself. Quite the reverse, I am doing my utmost with filters in order to reduce the massive quantity of spam I am receiving. My machine is totally virus free, trojan free, malware free and adware free (or it was before lowering my guard to write to you).

It is not beyond possibility that a spammer is using my email address. If this is the reason then such a bizarre blocking by your organisation will soon lead to total stoppage of all email. A most odd way to deal with a world wide problem.

I would be pleased to receive your comments and ask that you take whatever steps are necessary in order for my message to be delivered.
============================================

Their response could be interesting.

Derek.W

mazeo

A friend has kindly agreed to copy/paste email to you (with file). It should arrive in due course, unless excite think he's a spammer too.

Better continue back here, as email comms are obviously only one way at present.

Derek.W

Derek,

Thanx for your deligence, I've been having
problems with that account as well, I can only
access it on from certain servers....don't know
why, I think though that I may have deleted that
email...b/c I didn't recognize the name, yes it had
computing.net in the title but I did not want to take
anychances....
hmmm...but it did work it looks like...so could he/
she try it again???

Thanks for everything
maz

Have I read you right, you still need file?

I'll assume you want email again so I'll try to send it direct to you (excite "seemed" as if they were saying they had dealt with my email problem).

The subject will be "Derek from Comp-Net"

Derek.W

No luck, I'll see if my friend is prepared to try once more.

Derek.W

Yep, he still has it on file and is going to send it again. It will have the subject line that it had in the first place.

Derek.W

Whoo-Hoooo! Got it, I probably will not get to it
until this weekend but I am going to keep you
posted....thank you very much, I can also try to
keep you updated via email if this post is
dragging, but in the meantime....I'm crossing my
fingers.....

-maz

.... and I'll cross my toes LOL.

Derek.W

Ok......you still there Derek?
Well, I was able to export and save my registry,
and....here goes....I thought I saved your reg.file,
but when I tried to import into my registry I
recieved this:

"The specified file is not a registry script. You can
import only registry files."

I have yet to figure out on what end I lost the .reg
access.
I am using a mac here and a pc at home, so I tried
to save your regfile directly to a floppy this time, so
tonight I will try again.

If I haven't used all my lifelines yet, you can also
get to me at:

mazeomaz
"at sign"
hotmail dot com

Thanks again,
I thought this was dragging on, there's another
post in this forum with over 100 postings!!!

Very odd. The file left me in good condition but just for the heck of it I just tried it on my machine again (using my saved copy) and it went in fine.

The only other reasons I can think for it playing up is that it maybe got corrupted via the email or that your "nasty" is somehow preventing it from going in. On the basis that your registry export worked OK the latter now seems less unlikely.

So let's just confirm a couple of points. Firstly the filename should be Regfix.reg and is 690 Bytes (as viewed in Properties, using Windows Explorer). If the file size has changed it is a sure sign that something has gone adrift.

Presumably you just plonked the file somewhere on your hard disk and double clicked it.

If you still get problems send the file back to me over the email and I'll check to make sure it is identical to the original one I sent.

I will try emailing you (as a test) but last time it got returned again. I have a feeling that you can't add to posts on here after a while (possibly one month) so we either need to get this sorted soon or establish email comms some other way.

Derek.W

.... ooops. Sorry, totally missed the fact that you had given a different email addy. I'll give it a whirl.

Derek.W